AI Code Review
by @371166758-qq
Provides detailed, prioritized code review feedback on security, performance, correctness, and maintainability issues for multiple major programming languages.
clawhub install qf-code-reviewπ About This Skill
AI Code Review
Systematic code review framework covering security vulnerabilities, performance bottlenecks, maintainability issues, and best practices across major programming languages.
Description
This skill provides a structured approach to reviewing code like a senior engineer. It produces actionable, prioritized feedback organized by severity (Critical / Warning / Suggestion) and category (Security / Performance / Maintainability / Correctness / Style). Works across Python, JavaScript/TypeScript, Go, Rust, Java, and other common languages.
When to Use
Instructions
Review Process
#### Phase 1: Quick Scan (30 seconds)
Before deep analysis: 1. Understand intent: What does this code do? Read commit message or PR description. 2. Check scope: Is the change focused, or does it touch unrelated files? 3. Assess risk: Does this modify auth, payment, data persistence, or external APIs? Flag as high-risk.
#### Phase 2: Category-by-Category Review
##### Security (π΄ Critical if found)
Check for these common vulnerabilities:
| Vulnerability | Pattern to Look For |
|--------------|-------------------|
| SQL Injection | String concatenation in queries, raw SQL without parameterization |
| XSS | Unescaped user input rendered in HTML, innerHTML with user data |
| Path Traversal | User-controlled file paths, ../ not sanitized |
| Hardcoded Secrets | API keys, passwords, tokens in source code |
| Insecure Deserialization | eval(), pickle.loads(), JSON.parse on untrusted data |
| IDOR | Missing authorization checks on resource access endpoints |
| Command Injection | os.system(), exec(), subprocess with user input |
| Broken Auth | Weak password hashing, missing rate limiting, JWT without validation |
For each finding, specify:
##### Performance (π‘ Warning if found)
Check for:
##### Correctness (π΄ Critical if found)
Check for:
##### Maintainability (π’ Suggestion if found)
Check for:
#### Phase 3: Output Format
Organize findings as:
## Code Review SummaryOverall Assessment: [Ready to merge / Needs changes / Request changes]
π΄ Critical (must fix)
1. [Category] Title: Description + Location + Fix suggestionπ‘ Warning (should fix)
1. [Category] Title: Description + Location + Fix suggestionπ’ Suggestion (nice to have)
1. [Category] Title: Description + Location + Fix suggestionβ
Highlights
Things done well (positive reinforcement)
Language-Specific Rules
Python:
pathlib.Path over os.pathJavaScript/TypeScript:
const by default, let only when reassignment neededinterface over type for object shapes in TypeScriptany β use unknown and narrow with type guards?.) and nullish coalescing (??) over manual checksGo:
_ = errExamples
Finding Example:
π΄ Critical [Security] SQL Injection in user lookup
Location: src/auth/login.py:42
The username parameter is directly interpolated into the SQL query:
cursor.execute(f"SELECT * FROM users WHERE username='{username}'")
Fix: Use parameterized queries:
cursor.execute("SELECT * FROM users WHERE username = %s", (username,))
Suggestion Example:
π’ Suggestion [Maintainability] Extract magic number
Location: src/utils/cache.py:18
The value 86400 appears without explanation. It represents seconds in a day.
Fix: Define as a named constant:
CACHE_TTL_SECONDS = 86_400 # 24 hours
Tips
β‘ When to Use
π‘ Examples
Finding Example:
π΄ Critical [Security] SQL Injection in user lookup
Location: src/auth/login.py:42
The username parameter is directly interpolated into the SQL query:
cursor.execute(f"SELECT * FROM users WHERE username='{username}'")
Fix: Use parameterized queries:
cursor.execute("SELECT * FROM users WHERE username = %s", (username,))
Suggestion Example:
π’ Suggestion [Maintainability] Extract magic number
Location: src/utils/cache.py:18
The value 86400 appears without explanation. It represents seconds in a day.
Fix: Define as a named constant:
CACHE_TTL_SECONDS = 86_400 # 24 hours