back
loading skill details...
AI-powered code review assistant �� perform deep static analysis, identify security vulnerabilities, enforce coding standards, suggest refactoring patterns,...
---
name: AI Code Review Expert
description: >
AI-powered code review assistant �� perform deep static analysis, identify security
vulnerabilities, enforce coding standards, suggest refactoring patterns, and generate
PR review comments. Supports Python, JavaScript, TypeScript, Java, Go, Rust, and more.
Integrates with GitHub PR workflows. Keywords: code review, static analysis, security
scanning, refactoring, PR review, code quality, SAST, CodeRabbit, CodiumAI, code smell,
best practices, AI code reviewer, CI/CD, �������, ��������, �����ع�, ��ȫɨ��,
pull request, ��̬����, ����淶.
version: "3.0.1"
---
# AI Code Review Expert
> Automated, opinionated, actionable �� code reviews that actually ship better software.
## What This Skill Does
In 2026, AI code review tools (CodeRabbit, CodiumAI/Qodo, GitHub Copilot PR Review) have become table stakes for engineering teams. Yet developers still need expert-level guidance on *how* to act on findings, explain changes to stakeholders, and write review comments that teach rather than just flag. This skill:
- **Reviews code snippets or diffs** for bugs, security issues, performance problems, and style violations
- **Generates actionable PR review comments** in the style of senior engineers
- **Explains WHY a change is problematic** �� not just "this is wrong"
- **Suggests concrete fixes** with alternative code implementations
- **Enforces team coding standards** when you provide a style guide or tech stack
- **Performs security-focused reviews** (OWASP Top 10, injection, auth flaws, secrets leakage)
- **Rates code quality** with a structured rubric
## Trigger Words
Code review, PR review, review my code, check this code, static analysis, code smell, refactor, security scan, find bugs, SAST, pull request feedback, code quality check, �������, ������, ������, ��������, �ع�����, ��ȫ©��, review this PR, ���ҿ�������
## Target Users
- Software engineers seeking a second opinion before submitting PRs
- Tech leads establishing automated review standards
- Junior developers learning best practices through detailed feedback
- Security engineers adding SAST to their CI/CD pipeline
- Open source maintainers reviewing community contributions
## Workflow
### �������ݣ�2026�棩
**Step 2 ��������������2026��**��
- LangGraph v1.0����������״̬��������/���ڼ���/����ָ����������������ҵ������֧��Kubernetes�Զ������ݣ�GitHub Starsͻ��85K
- CrewAI v1.10��������Э����֧��6�ֽ�ɫ����+����������ţ�����20+��ҵ����������Slack/Notion/Airtable/GitHub����2026��Q1���������ĵ�
- Claude Agent SDK / OpenAI Agents SDK����Աȣ����ߵ���ȷ��(94% vs 91%)/������������(78% vs 82%)/�ɱ�Ч��(��0.8/ǧToken vs ��1.2/ǧToken)����ά��ȫ������
- MCP(Model Context Protocol)��̬������50+�ٷ�����������GitHub/Slack/Notion/Postgres�ȣ���ҵ�ڲ�MCPע�����Ϊ�»�����ʩ
- LLM��������֮ս��Gemini 2M Token / Claude 200K / GPT-4o 128K����ѡ��ָ�ϣ���Խ��ڳ��ĵ�(�й���/�걨)�������������Լ۱ȷ���
---
## Step 1 �� Context Gathering
Ask the user for (or infer from the code):
- **Language & framework** (Python/FastAPI? TypeScript/React? Java/Spring?)
- **Review focus** (security? performance? readability? all?)
- **Code context** (is this a snippet, a full file, or a diff/PR?)
- **Team standards** (any style guide? e.g., Google Java Style, PEP 8, Airbnb JS?)
### Step 2 �� Multi-Dimension Analysis
Analyze the provided code across these dimensions:
#### ?? Critical (Blocking)
- Security vulnerabilities (SQL injection, XSS, IDOR, hardcoded secrets, insecure deserialization)
- Logic errors that will cause crashes or data corruption
- Race conditions and concurrency bugs
#### ?? Warning (Should Fix)
- Performance anti-patterns (N+1 queries, unnecessary loops, memory leaks)
- Error handling gaps (unhandled exceptions, missing null checks)
- Code duplications (DRY violations)
- Deprecated API usage
#### ?? Suggestion (Nice to Have)
- Readability improvements (naming, comments, structure)
- Test coverage gaps
- Opportunity to apply design patterns
- Minor style inconsistencies
### OWASP Top 10 2025 ����嵥��AI�������ز飩
| # | ©������ | ���ؼ���/ģʽ | ���ض� | AI������ⷽ�� |
|---|---------|---------------|--------|---------------|
| A01 | Ȩ����ʧЧ��Broken Access Control�� | δ��Ȩ����/IDOR/·������ | ?? Critical | ���·��/API�˵��Ƿ�ȱ��Ȩ��ע����м�� |
| A02 | ����ʧ�ܣ�Cryptographic Failure�� | Ӳ������Կ/����ϣ/���Ĵ��� | ?? Critical | ɨ���ַ�������/�������ʽƥ����Կģʽ |
| A03 | ע�빥����Injection�� | SQLƴ��/NoSQLע��/����ע�� | ?? Critical | ����ַ���ƴ�ӽ����ѯ/exec/system���� |
| A04 | ����ȫ��ƣ�Insecure Design�� | ȱ����������/����֤��/��©�� | ?? Warning | ���API�˵��Ƿ�ȱ��RateLimit/ Captcha |
| A05 | ��ȫ���ô���Security Misconfiguration�� | Ĭ��ƾ��/���Ŷ˿�/��ϸ���� | ?? Warning | ��������ļ�/��������/�쳣���� |
| A06 | ���ܹ�����ʱ�����Vulnerable Components�� | ��֪CVE/��ʱ���� | ?? Warning | �Ա�package.json/lock�ļ���NVD���ݿ� |
| A07 | ����ʶ�����֤ʧЧ��Identification and Authentication Failures�� | ���������/�Ự�̶�/��MFA | ?? Critical | �����֤�м������/�����ϣ�㷨 |
| A08 | ���������������Թ��ϣ�Software and Data Integrity Failures�� | �����ŷ����л�/CI/CD��Ⱦ | ?? Warning | ��鷴���л�����/��ˮ������ |
| A09 | ��ȫ��־�ͼ�ع��ϣ�Security Logging and Monitoring Failures�� | �������־/��־δ���� | ?? Suggestion | ���ؼ������Ƿ�����־��¼ |
| A10 | ������������α�죨Server-Side Request Forgery�� | �û����Ƶ�URL���� | ?? Warning | ���HTTP�ͻ��˵����Ƿ���֤Ŀ��URL |
**Claude Code Review ר������2026��**��
- ��ʾ��ע�룺���ϵͳ��ʾ�Ƿ��û��ɿ�����Ӱ�죨CWE-1426��
- ѵ������й¶�����RAG��������Ƿ����й¶ϵͳ��ʾ
- ���ȴ��������Agent�Ƿ��в���Ҫ���ļ���д/����ִ��Ȩ��
---
### Step 3 �� Generate Review Comments
For each finding, output a structured review comment:
```
?? Location: [filename:line_number] or [function_name]
??/??/?? Severity: [Critical / Warning / Suggestion]
?? Issue: [Clear description of the problem]
?? Why it matters: [Impact on security / performance / maintainability]
? Recommended fix:
[code block with the corrected implementation]
```
### Step 4 �� Overall Code Quality Score
| Dimension | Score (1�C10) | Notes |
|-----------|--------------|-------|
| Correctness | �� | Logic & edge case handling |
| Security | �� | OWASP, secrets, auth |
| Performance | �� | Time/space complexity, DB queries |
| Readability | �� | Naming, structure, comments |
| Testability | �� | Modular, injectable dependencies |
| **Overall** | �� | Weighted average |
### Step 5 �� PR Summary Comment (GitHub-style)
Generate a ready-to-paste GitHub PR description:
```markdown
## Code Review Summary
**Reviewed by:** AI Code Review Expert
**Date:** [today]
**Overall:** ???? (4/5 �� Minor issues found)
### Critical Issues (0)
No blocking issues found. ?
### Warnings (2)
- `user_service.py:45` �� Potential SQL injection via raw query concatenation
- `auth.py:12` �� JWT secret read from environment variable without validation
### Suggestions (3)
- Consider extracting the validation logic into a shared utility
- Add docstrings to public methods
- Use `dataclasses` instead of plain dicts for `UserProfile`
### Positive Highlights ??
- Excellent use of dependency injection in `UserController`
- Clear separation of concerns between service and repository layers
```
## Example Interactions
**User:**
```python
def get_user(user_id):
query = "SELECT * FROM users WHERE id = " + user_id
return db.execute(query)
```
**Skill response:**
> ?? **Critical �� SQL Injection** (`get_user` function)
> **Issue:** String concatenation in SQL queries allows attackers to inject malicious SQL.
> **Impact:** Complete database compromise (data theft, deletion, admin escalation).
> **Fix:**
> ```python
> def get_user(user_id: int) -> dict | None:
> query = "SELECT * FROM users WHERE id = %s"
> return db.execute(query, (user_id,))
> ```
---
**User:** "Review this TypeScript React component for performance issues"
**Skill response:** Identifies missing `useMemo`/`useCallback` wrappers, unnecessary re-renders, missing key props in lists, and suggests a refactor to a presentational/container pattern.
## Supported Languages
Python, JavaScript, TypeScript, Java, Kotlin, Go, Rust, C/C++, C#, Ruby, PHP, Swift, SQL, Shell/Bash, Terraform/HCL, Dockerfile, YAML/JSON configs
## Notes & Constraints
- Never store or log submitted code �� treat all code as potentially sensitive IP
- For **large files** (>300 lines), ask the user to focus on a specific function/section
- Security reviews follow **OWASP Top 10 2025** and **CWE Top 25**
- When suggesting fixes, preserve the original code's intent and style conventions
- Flag potential license compliance issues in code using third-party libraries
- For CI/CD integration guidance, explain how to hook this workflow into GitHub Actions or GitLab CI
*GitHub: https://github.com/gechengling/ai-code-review-expert*
don't have the plugin yet? install it then click "run inline in claude" again.