Code Review
by @wpank
Systematic code review patterns covering security, performance, maintainability, correctness, and testing — with severity levels, structured feedback guidance, review process, and anti-patterns to avoid. Use when reviewing PRs, establishing review standards, or improving review quality.
clawhub install code-review📖 About This Skill
name: code-review model: reasoning category: testing description: Systematic code review patterns covering security, performance, maintainability, correctness, and testing — with severity levels, structured feedback guidance, review process, and anti-patterns to avoid. Use when reviewing PRs, establishing review standards, or improving review quality. version: 1.0
Code Review Checklist
Thorough, structured approach to reviewing code. Work through each dimension systematically rather than scanning randomly.
Installation
OpenClaw / Moltbot / Clawbot
npx clawhub@latest install code-review
Review Dimensions
| Dimension | Focus | Priority | |-----------|-------|----------| | Security | Vulnerabilities, auth, data exposure | Critical | | Performance | Speed, memory, scalability bottlenecks | High | | Correctness | Logic errors, edge cases, data integrity | High | | Maintainability | Readability, structure, future-proofing | Medium | | Testing | Coverage, quality, reliability of tests | Medium | | Accessibility | WCAG compliance, keyboard nav, screen readers | Medium | | Documentation | Comments, API docs, changelog entries | Low |
Security Checklist
Review every change for these vulnerabilities:
dangerouslySetInnerHTML or equivalent is justified and safePerformance Checklist
Correctness Checklist
Maintainability Checklist
Testing Checklist
Review Process
Work through the code in three passes. Do not try to catch everything in one read.
| Pass | Focus | Time | What to Look For | |------|-------|------|------------------| | First | High-level structure | 2-5 min | Architecture fit, file organization, API design, overall approach | | Second | Line-by-line detail | Bulk | Logic errors, security issues, performance problems, edge cases | | Third | Edge cases & hardening | 5 min | Failure modes, concurrency, boundary values, missing tests |
First Pass (2-5 minutes)
1. Read the PR description and linked issue 2. Scan the file list — does the change scope make sense? 3. Check the overall approach — is this the right solution to the problem? 4. Verify the change does not introduce architectural drift
Second Pass (bulk of review time)
1. Read each file diff top to bottom 2. Check every function change against the checklists above 3. Verify error handling at every I/O boundary 4. Flag anything that makes you pause — trust your instincts
Third Pass (5 minutes)
1. Think about what could go wrong in production 2. Check for missing tests on the code paths you flagged 3. Verify rollback safety — can this change be reverted without data loss? 4. Confirm documentation and changelog are updated if needed
Severity Levels
Classify every comment by severity so the author knows what blocks merge.
| Level | Label | Meaning | Blocks Merge? |
|-------|-------|---------|---------------|
| Critical | [CRITICAL] | Security vulnerability, data loss, or crash in production | Yes |
| Major | [MAJOR] | Bug, logic error, or significant performance regression | Yes |
| Minor | [MINOR] | Improvement that would reduce future maintenance cost | No |
| Nitpick | [NIT] | Style preference, naming suggestion, or trivial cleanup | No |
Always prefix your review comment with the severity label. This removes ambiguity about what matters.
Giving Feedback
Principles
Example Comments
Bad: > This is wrong. Fix it.
Good:
> [MAJOR] This query interpolates user input directly into the SQL string (line 42), which is vulnerable to SQL injection. Consider using a parameterized query:
>
> SELECT * FROM users WHERE id = $1
> Bad: > Why didn't you add tests?
Good:
> [MINOR] The new calculateDiscount() function has a few branching paths — could we add tests for the zero-quantity and negative-price edge cases to prevent regressions?
Bad: > I would have done this differently.
Good:
> [NIT] This works well. An alternative approach could be extracting the retry logic into a shared withRetry() wrapper — but that's optional and could be a follow-up.
Review Anti-Patterns
Avoid these common traps that waste time and damage team trust:
| Anti-Pattern | Description | |--------------|-------------| | Rubber-Stamping | Approving without reading. Creates false confidence and lets bugs through. | | Bikeshedding | Spending 30 minutes debating a variable name while ignoring a race condition. | | Blocking on Style | Refusing to approve over formatting that a linter should enforce automatically. | | Gatekeeping | Requiring your personal preferred approach when the submitted one is correct. | | Drive-by Reviews | Leaving one vague comment and disappearing. Commit to following through. | | Scope Creep Reviews | Requesting unrelated refactors that should be separate PRs. | | Stale Reviews | Letting PRs sit for days. Review within 24 hours or hand off to someone else. | | Emotional Language | "This is terrible" or "obviously wrong." Critique the code, not the person. |
NEVER Do
1. NEVER approve without reading every changed line — rubber-stamping is worse than no review 2. NEVER block a PR solely for style preferences — use a linter; humans review logic 3. NEVER leave feedback without a severity level — ambiguity causes wasted cycles 4. NEVER request changes without explaining why — "fix this" teaches nothing 5. NEVER review more than 400 lines in one sitting — comprehension drops sharply; break large PRs into sessions 6. NEVER skip the security checklist — one missed vulnerability outweighs a hundred style nits 7. NEVER make it personal — review the code, never the coder; assume good intent