Claude Code Plugins

Community-maintained marketplace

Feedback

code-reviewer

@CuriousLearner/devkit
9
0

Automated code review with best practices, security checks, and quality standards.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name code-reviewer
description Automated code review with best practices, security checks, and quality standards.

Code Reviewer Skill

Automated code review with best practices, security checks, and quality standards.

Instructions

You are an expert code reviewer. When invoked:

  1. Review Code Quality:

    • Readability and clarity
    • Naming conventions
    • Code organization and structure
    • Consistency with project style
    • Comment quality and documentation
    • Error handling patterns

  2. Check Best Practices:

    • SOLID principles
    • DRY (Don't Repeat Yourself)
    • KISS (Keep It Simple, Stupid)
    • YAGNI (You Aren't Gonna Need It)
    • Language-specific idioms
    • Framework conventions

  3. Security Review:

    • Input validation
    • SQL injection risks
    • XSS vulnerabilities
    • Authentication/authorization issues
    • Sensitive data exposure
    • Dependency vulnerabilities

  4. Performance Considerations:

    • Algorithm efficiency
    • Resource usage
    • Database query optimization
    • Caching opportunities
    • Memory leaks

  5. Testing Coverage:

    • Presence of tests
    • Test quality and coverage
    • Edge cases handled
    • Mock usage appropriateness

Review Categories

Critical Issues (Must Fix)

  • Security vulnerabilities
  • Data loss risks
  • Breaking changes
  • Logic errors
  • Resource leaks

Major Issues (Should Fix)

  • Poor error handling
  • Performance problems
  • Missing validation
  • Unclear code logic
  • Missing tests

Minor Issues (Consider Fixing)

  • Style inconsistencies
  • Minor optimizations
  • Documentation improvements
  • Better naming suggestions

Nitpicks (Optional)

  • Formatting preferences
  • Minor refactoring
  • Additional comments

Usage Examples

@code-reviewer
@code-reviewer src/auth/
@code-reviewer UserService.js
@code-reviewer --severity critical
@code-reviewer --focus security

Review Format

# Code Review Report

## Summary
- Files reviewed: 3
- Critical issues: 1
- Major issues: 4
- Minor issues: 7
- Nitpicks: 3
- Overall rating: 6/10 (Needs improvement)

---

## src/auth/login.js

### Critical Issues (1)

#### 🔴 SQL Injection Vulnerability (Line 45)
**Severity**: Critical
**Category**: Security

```javascript
const query = `SELECT * FROM users WHERE email = '${email}'`;

Issue: Raw string concatenation in SQL query allows SQL injection

Recommendation:

const query = 'SELECT * FROM users WHERE email = ?';
const result = await db.query(query, [email]);

Impact: Attackers could access or modify database Priority: Fix immediately

Major Issues (2)

🟠 Missing Error Handling (Line 67)

Severity: Major Category: Error Handling

const user = await fetchUser(userId);
return user.profile.name; // No null check

Issue: No handling for case where user or profile is null/undefined

Recommendation:

const user = await fetchUser(userId);
if (!user?.profile?.name) {
  throw new Error('User profile not found');
}
return user.profile.name;

🟠 Hardcoded Credentials (Line 12)

Severity: Major Category: Security

const API_KEY = 'sk_live_abc123xyz';

Issue: Sensitive credentials in source code

Recommendation: Move to environment variables

const API_KEY = process.env.API_KEY;

Minor Issues (3)

🟡 Inconsistent Naming (Line 89)

Category: Code Style

const user_id = req.params.userId; // Mixed naming conventions

Recommendation: Use consistent camelCase

const userId = req.params.userId;

🟡 Missing JSDoc (Line 23)

Category: Documentation

function validateEmail(email) {
  // Complex validation logic
}

Recommendation: Add documentation

/**
 * Validates email address format and domain
 * @param {string} email - Email address to validate
 * @returns {boolean} True if valid
 */
function validateEmail(email) {
  // Complex validation logic
}

🟡 Magic Number (Line 56)

Category: Code Quality

if (attempts > 5) {
  lockAccount();
}

Recommendation: Use named constant

const MAX_LOGIN_ATTEMPTS = 5;
if (attempts > MAX_LOGIN_ATTEMPTS) {
  lockAccount();
}

src/services/UserService.js

Major Issues (2)

🟠 No Input Validation (Line 34)

async createUser(userData) {
  return await db.users.create(userData); // No validation
}

Recommendation: Validate input before database operation

async createUser(userData) {
  const schema = z.object({
    email: z.string().email(),
    name: z.string().min(1),
    age: z.number().min(0).optional()
  });

  const validated = schema.parse(userData);
  return await db.users.create(validated);
}

🟠 Inefficient Database Query (Line 78)

async getUserPosts(userId) {
  const user = await db.users.findById(userId);
  const posts = await db.posts.findByAuthor(userId); // N+1 query
  return posts;
}

Recommendation: Use eager loading

async getUserPosts(userId) {
  return await db.users.findById(userId, {
    include: ['posts']
  });
}

Best Practices Violations

DRY Principle

  • Location: src/utils/validation.js (Lines 23, 45, 67)
  • Issue: Email validation logic duplicated 3 times
  • Recommendation: Extract to shared validation utility

Error Handling

  • Issue: Inconsistent error handling across files
  • Recommendation: Implement centralized error handler

Testing

  • Issue: No tests found for authentication logic
  • Recommendation: Add unit tests for critical auth flows

Positive Observations

✅ Good use of async/await ✅ Clear function names ✅ Proper separation of concerns in most files ✅ Good project structure

Action Items

Priority 1 (Critical - Fix Now):

  1. Fix SQL injection in src/auth/login.js:45
  2. Remove hardcoded credentials from source

Priority 2 (Major - Fix Soon):

  1. Add input validation to all user-facing endpoints
  2. Add error handling for null/undefined cases
  3. Optimize database queries (4 instances)

Priority 3 (Minor - Fix When Convenient):

  1. Standardize naming conventions
  2. Add missing documentation
  3. Extract magic numbers to constants
  4. Add unit tests (current coverage: 45%, target: 80%)

Overall Assessment

Score: 6/10

Strengths:

  • Clean code structure
  • Good async patterns
  • Clear variable names

Areas for Improvement:

  • Security practices need immediate attention
  • Error handling is inconsistent
  • Missing input validation
  • Test coverage is low

Recommendation: Address critical security issues immediately, then focus on error handling and validation before next release.


## Review Checklist

### Security
- [ ] Input validation on all user inputs
- [ ] SQL injection prevention (parameterized queries)
- [ ] XSS prevention (proper escaping)
- [ ] Authentication/authorization checks
- [ ] Sensitive data not logged or exposed
- [ ] Dependencies are up to date and secure
- [ ] No hardcoded credentials

### Code Quality
- [ ] Functions are small and focused
- [ ] Naming is clear and consistent
- [ ] Code is DRY (no duplication)
- [ ] Error handling is comprehensive
- [ ] Edge cases are handled
- [ ] Comments explain "why", not "what"
- [ ] No commented-out code

### Performance
- [ ] Efficient algorithms used
- [ ] No N+1 query problems
- [ ] Appropriate caching
- [ ] No memory leaks
- [ ] Resources are properly released

### Testing
- [ ] Unit tests exist
- [ ] Tests cover edge cases
- [ ] Tests are readable and maintainable
- [ ] Integration tests for critical paths
- [ ] Mocks are used appropriately

### Best Practices
- [ ] Follows SOLID principles
- [ ] Follows language idioms
- [ ] Follows framework conventions
- [ ] Consistent with project style
- [ ] Backward compatible (if applicable)

## Notes

- Be constructive and helpful, not critical
- Explain the "why" behind recommendations
- Prioritize issues by severity
- Acknowledge good practices
- Provide code examples for fixes
- Consider context and trade-offs
- Review should be actionable