code-review by aiskillstore
This skill should be used when the user requests a code review of changed files. Use this to review git-diffed files for security vulnerabilities (OWASP Top 10), performance issues (O(N) complexity, ORM optimization), bugs, and adherence to project coding standards defined in agents.md and claude.md.
Coding
85 Stars
2 Forks
Updated Jan 19, 2026, 04:39 AM
Why Use This
This skill provides specialized capabilities for aiskillstore's codebase.
Use Cases
- Developing new features in the aiskillstore repository
- Refactoring existing code to follow aiskillstore standards
- Understanding and working with aiskillstore's codebase structure
Install Guide
2 steps- 1
Skip this step if Ananke is already installed.
- 2
Skill Snapshot
Auto scan of skill assets. Informational only.
Valid SKILL.md
Checks against SKILL.md specification
Source & Community
Skill Stats
SKILL.md 279 Lines
Total Files 1
Total Size 0 B
License NOASSERTION
---
name: code-review
description: This skill should be used when the user requests a code review of changed files. Use this to review git-diffed files for security vulnerabilities (OWASP Top 10), performance issues (O(N) complexity, ORM optimization), bugs, and adherence to project coding standards defined in agents.md and claude.md.
---
# Code Review Skill
## Purpose
Perform comprehensive code reviews on files that have been modified in the current git working directory. Review code for:
- Security vulnerabilities (OWASP Top 10)
- Performance issues (algorithmic complexity, ORM N+1 queries)
- Logic bugs and unintended behavior
- Adherence to project coding standards
- Code quality and maintainability
## When to Use
Invoke this skill when:
- User explicitly requests code review
- User asks to review changes before committing
- User wants feedback on modified files
- User mentions checking for bugs, security issues, or performance problems
## Code Review Process
### Step 1: Identify Changed Files
Use git plumbing commands to get a list of files that have been modified:
```bash
# Get all files with uncommitted changes (staged and unstaged)
git diff --name-only HEAD
# Alternative: Get only staged files
git diff --cached --name-only
# Alternative: Get files changed in recent commits
git diff --name-only HEAD~1..HEAD
```
Store the list of changed files for systematic review.
### Step 2: Read Project Standards
Before reviewing code, load the project's coding standards to understand expectations:
- **Python/Backend code**: Read `/Users/daviddworetzky/Documents/repos/Geist/docs/agents.md` for agent architecture patterns and best practices
- **General standards**: Read `/Users/daviddworetzky/Documents/repos/Geist/claude.md` (or `CLAUDE.md`) for SQLAlchemy patterns, dependency preferences, SDLC process, and general coding preferences
Key standards to check:
- SQLAlchemy models should follow the pattern in claude.md (proper imports, Base inheritance, relationships)
- Prefer minimal inline implementations over extra dependency imports
- Core libraries are better than PyPI packages
- Models must be added to `scripts/copy_weights.py`
- Classes should inherit from appropriate base classes (e.g., `BaseAgent`)
- Database models should be in `app/models/database/`
### Step 3: Review Each File Systematically
For each changed file, perform the following checks:
#### Security Review (OWASP Top 10)
Check for common security vulnerabilities:
1. **Injection Flaws** (SQL, Command, LDAP, etc.)
- Look for string concatenation in SQL queries
- Check for unsanitized user input in shell commands
- Verify parameterized queries are used with SQLAlchemy
2. **Broken Authentication**
- Check for weak password validation
- Verify proper session management
- Look for exposed credentials or API keys
3. **Sensitive Data Exposure**
- Check for unencrypted sensitive data storage
- Verify HTTPS/TLS usage for data transmission
- Look for logging of sensitive information
4. **XML External Entities (XXE)**
- Check XML parsing for external entity processing
- Verify XML parsers are configured securely
5. **Broken Access Control**
- Check for missing authorization checks
- Verify proper user permission validation
- Look for insecure direct object references
6. **Security Misconfiguration**
- Check for default credentials
- Verify error messages don't expose sensitive info
- Look for overly permissive CORS settings
7. **Cross-Site Scripting (XSS)**
- Check for unescaped user input in templates
- Verify proper output encoding
- Look for dangerous innerHTML usage
8. **Insecure Deserialization**
- Check for pickle/eval usage with untrusted data
- Verify proper input validation
9. **Using Components with Known Vulnerabilities**
- Check for outdated dependencies
- Verify no known vulnerable libraries
10. **Insufficient Logging & Monitoring**
- Check for proper error logging
- Verify security events are logged
#### Performance Review
Check for performance issues:
1. **Algorithmic Complexity**
- Look for nested loops that could be O(N²) or worse
- Check for repeated calculations that could be cached
- Verify efficient data structure usage
2. **ORM Optimization**
- Check for N+1 query problems (missing eager loading)
- Look for queries inside loops
- Verify proper use of `joinedload()` or `selectinload()`
- Check for loading entire tables when only a few fields needed
- Verify proper indexing on foreign keys
3. **Database Issues**
- Look for missing indexes on frequently queried columns
- Check for inefficient WHERE clauses
- Verify proper transaction boundaries
4. **Memory Issues**
- Check for memory leaks (unclosed files, connections)
- Look for loading large datasets into memory
- Verify generators are used for large iterations
#### Logic and Bug Review
Check for logical errors:
1. **Type Safety**
- Verify proper type handling
- Check for None/null handling
- Look for type coercion issues
2. **Error Handling**
- Verify proper exception handling
- Check for caught-but-ignored exceptions
- Look for overly broad exception catches
3. **Business Logic**
- Verify code matches intended behavior
- Check for off-by-one errors
- Look for race conditions or concurrency issues
- Verify proper state management
4. **Edge Cases**
- Check for empty list/array handling
- Verify boundary condition handling
- Look for division by zero possibilities
#### Project Standards Review
Verify adherence to project standards based on file type:
**Python Files:**
- Imports follow the pattern in claude.md
- SQLAlchemy models inherit from Base
- Proper use of relationships and foreign keys
- Models are in correct directory (`app/models/database/`)
- Agent classes inherit from `BaseAgent` or appropriate base class
- Minimal dependencies, prefer core libraries
**General:**
- Code follows existing patterns in the codebase
- Proper documentation and docstrings
- Consistent naming conventions
- Appropriate separation of concerns
### Step 4: Categorize and Report Issues
Categorize issues into severity levels:
**Critical (Fix Immediately):**
- Security vulnerabilities that could lead to data breach or system compromise
- Logic bugs that would cause data corruption or system failure
- Performance issues that would cause severe degradation (e.g., O(N³) in hot path)
- ORM issues causing catastrophic N+1 queries
- Moderate security issues (information disclosure, weak validation)
- Significant performance problems (O(N²) where N could be large)
- Logic bugs that affect core functionality
- Violations of critical project standards
**Recommended (Prompt for Approval):**
- Minor performance improvements
- Code style issues
- Non-critical standard violations
- Suggestions for better maintainability
### Step 5: Take Action
**For Critical and Important Issues:**
1. Fix the issue immediately
2. Explain what was wrong and why it was fixed
3. Show the before/after code
4. Reference relevant standards or security principles
**For Recommended Issues:**
1. List the issues clearly
2. Explain the potential benefit of fixing
3. Ask user if they want these fixed
4. Let user decide priority
## Example Review Output
When presenting findings, use this format:
```
## Code Review Results
### Files Reviewed
- app/services/user_service.py
- app/models/database/user.py
### Critical Issues Fixed
#### 1. SQL Injection in user_service.py:42
**Issue:** Raw string concatenation in SQL query allows SQL injection
**Before:**
```python
query = f"SELECT * FROM users WHERE email = '{email}'"
```
**After:**
```python
query = session.query(User).filter(User.email == email)
```
**Why:** Parameterized queries prevent SQL injection attacks (OWASP #1)
#### 2. N+1 Query in user_service.py:78
**Issue:** Loading related data in loop causes N+1 queries
**Before:**
```python
for user in users:
posts = user.posts # Lazy load triggers query
```
**After:**
```python
users = session.query(User).options(joinedload(User.posts)).all()
for user in users:
posts = user.posts # Already loaded
```
**Why:** Reduces database round trips from N+1 to 1 query
### Recommended Improvements
#### 1. Import Optimization (user_service.py:1)
- Consider using built-in `datetime` instead of `arrow` library
- Aligns with project preference for core libraries over PyPI packages
- Would you like me to refactor this?
#### 2. Code Style (user.py:15)
- Consider adding docstring to `User` class
- Would improve code documentation
- Should I add this?
```
## Tips for Effective Reviews
1. **Be Thorough**: Check every changed line, not just the obvious parts
2. **Context Matters**: Understand the purpose of the code before critiquing
3. **Prioritize Severity**: Fix security and correctness issues before style
4. **Explain Reasoning**: Always explain why something is a problem
5. **Provide Solutions**: Don't just identify issues, show how to fix them
6. **Respect Intent**: Understand what the developer was trying to achieve
7. **Check Imports**: Verify all necessary imports are present after fixes
8. **Test Compatibility**: Ensure fixes don't break existing functionality
Name Size