github-code-reviewer

presmihaylov/github-code-reviewer

Coding

1 installs

About

SKILL.md

github-code-reviewer

presmihaylov/github-code-reviewer

Coding

1 installs

About

Review GitHub PRs with surgical precision. Flag only high-severity issues (bugs, security, performance, breaking changes) via succinct inline comments on specific lines...

SKILL.md

GitHub Code Reviewer

High-precision code review that flags critical issues only. Leave inline comments on specific lines—no verbose summaries.

Core Principle: High Signal, Low Noise

Only flag these:

Bugs: Logic errors, crashes, incorrect behavior, unhandled edge cases
Security: SQL injection, XSS, auth bypass, credential leaks, input validation gaps
Performance: N+1 queries, inefficient algorithms, memory leaks, missing indexes
Breaking changes: API incompatibilities, data migration issues
Critical architectural violations: Layer separation breaks, major pattern deviations

Never flag these:

Style preferences, formatting, naming conventions
Minor improvements, optimizations, or refactoring suggestions
Nits, typos, comments about comments
Positive feedback (unless code prevents a critical bug)
Anything that doesn't materially affect correctness, security, or performance

Workflow

1. Get PR Context (Fast)

python scripts/get_pr_info.py <pr_url_or_number>
python scripts/get_pr_diff.py <pr_url_or_number>

2. Gather System Context (Critical)

Never review in isolation. Use tools to understand the larger system:

Read: Check files that interact with changes (callers, implementations, tests)
Grep: Find similar patterns, conventions, how problems are solved elsewhere
Glob: Locate integration points (schemas, APIs, service interfaces)

3. Identify Critical Issues Only

Scan for high-severity problems:

Bugs: Null derefs, unhandled errors, logic errors, edge case failures Security: Injection vulnerabilities, auth bypass, credential exposure, missing validation Performance: N+1 queries, inefficient algorithms, memory/resource leaks Breaking changes: API incompatibilities, migration issues Architecture: Service layer calling external APIs directly, repository layer doing validation

Skip everything else. Don't comment on style, naming, minor refactors, or improvements.

4. Leave Inline Comments (Required Pattern)

Primary approach: Inline comments on specific lines where issues exist.

Use JSON file + submit_review.py for all reviews:

Create JSON in /tmp with inline comments:

# Use /tmp to avoid cluttering working directory
/tmp/pr-<number>-review.json

Example content:

[
  {
    "path": "src/services/user.service.ts",
    "line": 42,
    "body": "bug: Null reference exception if user.profile is undefined"
  },
  {
    "path": "src/db/queries.ts",
    "line": 89,
    "body": "security: SQL injection via string concatenation - use parameterized query"
  }
]

Submit as commentary only (never approve/reject):

python scripts/submit_review.py <pr_number> \
  --repo owner/repo \
  --comments-file /tmp/pr-<number>-review.json \
  --event COMMENT

Always use --event COMMENT - skill provides commentary only, humans make approval decisions.

When to use summary comment: Only if issue affects entire PR (e.g., "This PR breaks backward compatibility for all API consumers").

Comment Format (Succinct)

Pattern: category: issue (1-2 lines max)

Examples:

bug: Null pointer exception if response.data is undefined

security: SQL injection - use parameterized queries instead of string concatenation

performance: N+1 query - fetch all records with single query instead of loop

breaking: API response structure changed - will break existing clients

No verbose explanations. No suggested code blocks unless absolutely necessary. Just state the issue and impact.

Common Critical Patterns to Check

Only flag if violation causes actual bug/security/performance issue:

General Bugs

Nil/null pointer dereferences: Missing null checks causing crashes
Unhandled errors: Errors silently ignored without proper handling
Resource leaks: Unclosed connections, file handles, or memory leaks
Race conditions: Concurrent access without synchronization

Security Issues

SQL injection: String concatenation in queries instead of parameterized queries
XSS vulnerabilities: Unescaped user input rendered in HTML
Authentication bypass: Missing auth checks on protected routes/endpoints
Authorization gaps: Missing permission/scope validation
Credential exposure: API keys, secrets, or passwords in code

Performance Problems

N+1 queries: Database queries in loops instead of batch operations
Missing indexes: Queries on unindexed columns with large datasets
Inefficient algorithms: O(n²) where O(n log n) or O(n) is possible
Memory inefficiency: Loading entire datasets when streaming is appropriate

Architecture Violations

Layer separation breaks: Business logic in presentation layer, database calls in handlers
Tight coupling: Hard dependencies that should be injected or abstracted

Context matters: Check project's CLAUDE.md or similar documentation for project-specific patterns before flagging architectural issues.

About

SKILL.md

About

Review GitHub PRs with surgical precision. Flag only high-severity issues (bugs, security, performance, breaking changes) via succinct inline comments on specific lines...

SKILL.md

GitHub Code Reviewer

High-precision code review that flags critical issues only. Leave inline comments on specific lines—no verbose summaries.

Core Principle: High Signal, Low Noise

Only flag these:

Bugs: Logic errors, crashes, incorrect behavior, unhandled edge cases
Security: SQL injection, XSS, auth bypass, credential leaks, input validation gaps
Performance: N+1 queries, inefficient algorithms, memory leaks, missing indexes
Breaking changes: API incompatibilities, data migration issues
Critical architectural violations: Layer separation breaks, major pattern deviations

Never flag these:

Style preferences, formatting, naming conventions
Minor improvements, optimizations, or refactoring suggestions
Nits, typos, comments about comments
Positive feedback (unless code prevents a critical bug)
Anything that doesn't materially affect correctness, security, or performance

Workflow

1. Get PR Context (Fast)

python scripts/get_pr_info.py <pr_url_or_number>
python scripts/get_pr_diff.py <pr_url_or_number>

2. Gather System Context (Critical)

Never review in isolation. Use tools to understand the larger system:

Read: Check files that interact with changes (callers, implementations, tests)
Grep: Find similar patterns, conventions, how problems are solved elsewhere
Glob: Locate integration points (schemas, APIs, service interfaces)

3. Identify Critical Issues Only

Scan for high-severity problems:

Skip everything else. Don't comment on style, naming, minor refactors, or improvements.

4. Leave Inline Comments (Required Pattern)

Primary approach: Inline comments on specific lines where issues exist.

Use JSON file + submit_review.py for all reviews:

Create JSON in /tmp with inline comments:

# Use /tmp to avoid cluttering working directory
/tmp/pr-<number>-review.json

Example content:

[
  {
    "path": "src/services/user.service.ts",
    "line": 42,
    "body": "bug: Null reference exception if user.profile is undefined"
  },
  {
    "path": "src/db/queries.ts",
    "line": 89,
    "body": "security: SQL injection via string concatenation - use parameterized query"
  }
]

Submit as commentary only (never approve/reject):

python scripts/submit_review.py <pr_number> \
  --repo owner/repo \
  --comments-file /tmp/pr-<number>-review.json \
  --event COMMENT

Always use --event COMMENT - skill provides commentary only, humans make approval decisions.

When to use summary comment: Only if issue affects entire PR (e.g., "This PR breaks backward compatibility for all API consumers").

Comment Format (Succinct)

Pattern: category: issue (1-2 lines max)

Examples:

bug: Null pointer exception if response.data is undefined

security: SQL injection - use parameterized queries instead of string concatenation

performance: N+1 query - fetch all records with single query instead of loop

breaking: API response structure changed - will break existing clients

No verbose explanations. No suggested code blocks unless absolutely necessary. Just state the issue and impact.

Common Critical Patterns to Check

Only flag if violation causes actual bug/security/performance issue:

General Bugs

Nil/null pointer dereferences: Missing null checks causing crashes
Unhandled errors: Errors silently ignored without proper handling
Resource leaks: Unclosed connections, file handles, or memory leaks
Race conditions: Concurrent access without synchronization

Security Issues

SQL injection: String concatenation in queries instead of parameterized queries
XSS vulnerabilities: Unescaped user input rendered in HTML
Authentication bypass: Missing auth checks on protected routes/endpoints
Authorization gaps: Missing permission/scope validation
Credential exposure: API keys, secrets, or passwords in code

Performance Problems

N+1 queries: Database queries in loops instead of batch operations
Missing indexes: Queries on unindexed columns with large datasets
Inefficient algorithms: O(n²) where O(n log n) or O(n) is possible
Memory inefficiency: Loading entire datasets when streaming is appropriate

Architecture Violations

Layer separation breaks: Business logic in presentation layer, database calls in handlers
Tight coupling: Hard dependencies that should be injected or abstracted

Context matters: Check project's CLAUDE.md or similar documentation for project-specific patterns before flagging architectural issues.