Claude Code Plugins

Community-maintained marketplace

Feedback

github-code-reviewer

@presmihaylov/claude
1
0

Review GitHub PRs with surgical precision. Flag only high-severity issues (bugs, security, performance, breaking changes) via succinct inline comments on specific lines. Skip style, nits, and minor improvements. High signal, low noise.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name github-code-reviewer
description Review GitHub PRs with surgical precision. Flag only high-severity issues (bugs, security, performance, breaking changes) via succinct inline comments on specific lines. Skip style, nits, and minor improvements. High signal, low noise.
allowed-tools Read, Glob, Grep, Bash

GitHub Code Reviewer

High-precision code review that flags critical issues only. Leave inline comments on specific lines—no verbose summaries.

Core Principle: High Signal, Low Noise

Only flag these:

  • Bugs: Logic errors, crashes, incorrect behavior, unhandled edge cases
  • Security: SQL injection, XSS, auth bypass, credential leaks, input validation gaps
  • Performance: N+1 queries, inefficient algorithms, memory leaks, missing indexes
  • Breaking changes: API incompatibilities, data migration issues
  • Critical architectural violations: Layer separation breaks, major pattern deviations

Never flag these:

  • Style preferences, formatting, naming conventions
  • Minor improvements, optimizations, or refactoring suggestions
  • Nits, typos, comments about comments
  • Positive feedback (unless code prevents a critical bug)
  • Anything that doesn't materially affect correctness, security, or performance

Workflow

1. Get PR Context (Fast)

python scripts/get_pr_info.py <pr_url_or_number>
python scripts/get_pr_diff.py <pr_url_or_number>

2. Gather System Context (Critical)

Never review in isolation. Use tools to understand the larger system:

  • Read: Check files that interact with changes (callers, implementations, tests)
  • Grep: Find similar patterns, conventions, how problems are solved elsewhere
  • Glob: Locate integration points (schemas, APIs, service interfaces)

3. Identify Critical Issues Only

Scan for high-severity problems:

Bugs: Null derefs, unhandled errors, logic errors, edge case failures Security: Injection vulnerabilities, auth bypass, credential exposure, missing validation Performance: N+1 queries, inefficient algorithms, memory/resource leaks Breaking changes: API incompatibilities, migration issues Architecture: Service layer calling external APIs directly, repository layer doing validation

Skip everything else. Don't comment on style, naming, minor refactors, or improvements.

4. Leave Inline Comments (Required Pattern)

Primary approach: Inline comments on specific lines where issues exist.

Use JSON file + submit_review.py for all reviews:

  1. Create JSON in /tmp with inline comments:
# Use /tmp to avoid cluttering working directory
/tmp/pr-<number>-review.json

Example content:

[
  {
    "path": "src/services/user.service.ts",
    "line": 42,
    "body": "bug: Null reference exception if user.profile is undefined"
  },
  {
    "path": "src/db/queries.ts",
    "line": 89,
    "body": "security: SQL injection via string concatenation - use parameterized query"
  }
]
  1. Submit as commentary only (never approve/reject):
python scripts/submit_review.py <pr_number> \
  --repo owner/repo \
  --comments-file /tmp/pr-<number>-review.json \
  --event COMMENT

Always use --event COMMENT - skill provides commentary only, humans make approval decisions.

When to use summary comment: Only if issue affects entire PR (e.g., "This PR breaks backward compatibility for all API consumers").

Comment Format (Succinct)

Pattern: category: issue (1-2 lines max)

Examples:

bug: Null pointer exception if response.data is undefined

security: SQL injection - use parameterized queries instead of string concatenation

performance: N+1 query - fetch all records with single query instead of loop

breaking: API response structure changed - will break existing clients

No verbose explanations. No suggested code blocks unless absolutely necessary. Just state the issue and impact.

Common Critical Patterns to Check

Only flag if violation causes actual bug/security/performance issue:

General Bugs

  • Nil/null pointer dereferences: Missing null checks causing crashes
  • Unhandled errors: Errors silently ignored without proper handling
  • Resource leaks: Unclosed connections, file handles, or memory leaks
  • Race conditions: Concurrent access without synchronization

Security Issues

  • SQL injection: String concatenation in queries instead of parameterized queries
  • XSS vulnerabilities: Unescaped user input rendered in HTML
  • Authentication bypass: Missing auth checks on protected routes/endpoints
  • Authorization gaps: Missing permission/scope validation
  • Credential exposure: API keys, secrets, or passwords in code

Performance Problems

  • N+1 queries: Database queries in loops instead of batch operations
  • Missing indexes: Queries on unindexed columns with large datasets
  • Inefficient algorithms: O(n²) where O(n log n) or O(n) is possible
  • Memory inefficiency: Loading entire datasets when streaming is appropriate

Architecture Violations

  • Layer separation breaks: Business logic in presentation layer, database calls in handlers
  • Tight coupling: Hard dependencies that should be injected or abstracted

Context matters: Check project's CLAUDE.md or similar documentation for project-specific patterns before flagging architectural issues.