skyfom-code-reviewer
npx machina-cli add skill SkyfomLabs/skyfom-claude-orchestration/skyfom-code-reviewer --openclawFiles (1)
SKILL.md
4.0 KB
Skyfom Code Reviewer
Senior code reviewer for comprehensive quality, security, and readability analysis.
Role
- Bug detection (logic errors, null handling, race conditions)
- Security review (OWASP Top 10, injection, XSS)
- Performance analysis (N+1 queries, memory leaks)
- Code quality (readability, complexity, patterns)
- Generate fix suggestions with learning resources
Review Scope
| Category | Focus |
|---|---|
| P0 Security | SQL injection, XSS, hardcoded secrets, auth bypass |
| P1 Bugs | Null/undefined, logic errors, race conditions |
| P1 Performance | N+1 queries, missing indexes, inefficient algorithms |
| P2 Quality | Complexity >10, deep nesting, code smells |
| P3 Style | Naming, comments, minor optimizations |
Supported Languages
TypeScript, JavaScript, Rust, Python, Go, Swift, Kotlin, SQL
Workflow
See workflows/review-loop.md for detailed steps.
Quick Workflow
- Fetch PR changes:
gh pr diff <number> - Analyze each changed file
- Detect issues by severity (P0-P3)
- Generate fixes with learning resources
- Approve (clean) or Request Changes (P0-P1 found)
- Create Beads tickets for P0-P1 issues
- Loop until clean (max 50 iterations)
Review Output Format
# PR Review: #<number>
**Status**: ❌ Changes Required | P0=1 P1=2 P2=3
## Blockers (P0-P1)
### P0: XSS Vulnerability
**File**: `Comment.tsx:45`
**Issue**: Unsafe HTML rendering
**Fix**:
\`\`\`diff
- <div dangerouslySetInnerHTML={{ __html: comment }} />
+ <div>{comment}</div>
\`\`\`
**Learn**: [OWASP XSS](https://owasp.org/www-community/attacks/xss/)
**Ticket**: [bd-xxx](bd://bd-xxx)
### P1: N+1 Query
**File**: `user.service.ts:89`
**Issue**: Loading orders in loop
**Fix**: Use JOIN or batch query
**Ticket**: [bd-yyy](bd://bd-yyy)
## Improvements (P2-P3)
- P2: Missing tests in `discount.ts`
- P3: Complex function in `validator.ts:34` (complexity 12)
**Actions**: Fix P0-P1 before merge
Common Issues Library
See reference/common-issues.md for full list.
Security (P0)
- SQL injection → Use parameterized queries
- XSS → Sanitize user input
- Hardcoded secrets → Use env variables
Performance (P1)
- N+1 queries → Use JOINs or batch queries
- Missing indexes → Add indexes on query columns
- SELECT * → Select only needed columns
Quality (P2)
- Complexity >10 → Extract functions
- Deep nesting >3 → Use early returns
- Magic numbers → Extract constants
GitHub Commands
# View PR
gh pr view <number>
# Get diff
gh pr diff <number> > /tmp/pr.diff
# Request changes
gh pr review <number> --request-changes \
--body "$(cat review-comment.md)"
# Approve
gh pr review <number> --approve \
--body "Code review passed ✅"
Beads Integration
# Create bug ticket for P0-P1
bd create "Security: XSS in Comment" -t bug -p 0 \
-d "Found in PR #<number>..." \
--json
# Link to PR task
bd dep add <bug-id> <pr-task-id> --type discovered-from
Integration
- Triggered by: Developer after implementation
- Loop: Until clean or 50 iterations
- Reports to: Developer with fixes, PM if blocked
- Creates: Bug tickets for P0-P1 issues
Quick Reference
# Review PR
gh pr diff <number>
# ... analyze ...
# If issues found
gh pr review <number> --request-changes --body "..."
bd create "Bug: ..." -t bug -p 0 --json
# If clean
gh pr review <number> --approve --body "✅ Clean"
Success Metrics
- Zero P0 issues in production
- <3 review loops average
- All P0-P1 fixed before merge
- Learning resources provided
- Developer skills improved
Source
git clone https://github.com/SkyfomLabs/skyfom-claude-orchestration/blob/main/skills/skyfom-code-reviewer/SKILL.mdView on GitHub Overview
Skyfom Code Reviewer provides in-depth analysis of code changes across TS, JS, Rust, Python, Go, Swift, and Kotlin to detect bugs, readability issues, and security gaps. It flags OWASP Top 10 vulnerabilities, performance problems, and code smells, then proposes automatic fixes with learning resources and can create Beads tickets or block PRs until issues are resolved. It’s ideal for code reviews, bug detection, and enforcing quality gates and security audits.
How This Skill Works
The reviewer analyzes PR diffs file-by-file, categorizes issues by severity (P0-P3), and generates concrete fixes with learning resources. It integrates with Beads tickets and can block merges for P0-P1 findings, iterating until the codebase meets defined quality gates.
When to Use It
- During PR reviews for multi-language projects across TypeScript, JavaScript, Rust, Python, Go, Swift, Kotlin, and SQL
- Security audits and OWASP Top 10 checks to catch injections, XSS, and misconfigurations
- Bug detection such as null handling, race conditions, and logic errors
- Performance tuning to identify N+1 queries, missing indexes, and memory leaks
- Quality gates before merge to ensure readability, maintainability, and adherence to style guidelines
Quick Start
- Step 1: Fetch PR changes with gh pr diff <number>
- Step 2: Analyze each changed file and classify issues by P0-P3
- Step 3: Generate fixes with learning resources, create Beads tickets for P0-P1, and loop until clean (max 50 iterations)
Best Practices
- Run reviews on every PR affecting multiple languages to maintain consistency
- Prioritize P0-P1 issues and automatically create Beads tickets for tracking
- Provide concrete fixes with learning resources and code examples
- Link fixes to OWASP or language-specific security guidelines
- Keep changes small and well-tested; avoid large, unrelated edits
Example Use Cases
- P0 XSS vulnerability detected in Comment.tsx:45 with unsafe HTML rendering
- P1 N+1 query found in user.service.ts:89 when loading data in a loop
- Hardcoded secrets or credentials discovered in config files
- Missing tests in discount.ts leading to undetected regressions
- Complex function in validator.ts:34 with cyclomatic complexity above 10
Frequently Asked Questions
Add this skill to your agents
