Skill Spotlights
Code Review Skills Roundup: 5 Tools to Improve Your PR Process
Compare the top 5 code review skills for Claude Code. From quick PR summaries to deep security audits, find the right review tool for your team's needs.
Compare the top 5 code review skills for Claude Code. From quick PR summaries to deep security audits, find the right review tool for your team's needs.
Code review is where good code becomes great code. It's also where many teams struggle. Reviews take too long, feedback is inconsistent, important issues slip through, and reviewers burn out from the cognitive load. Claude Code skills offer a solution: encode your team's review standards into reusable, consistent processes.
In this roundup, we'll examine five code review skills that approach the problem differently. Each has strengths suited to different team contexts. By understanding these approaches, you can choose the right tool or combine elements to build your ideal review workflow.
Before diving into skills, let's understand what makes code review difficult:
Cognitive Load: Holding code structure in your head while tracking changes across files is mentally taxing.
Inconsistency: Different reviewers catch different things. Standards drift over time.
Time Pressure: Reviews often block deployments. Speed and thoroughness feel like opposing forces.
Context Switching: Reviewing interrupts deep work. Getting back to your own code takes time.
Feedback Quality: "LGTM" reviews add little value. Constructive, specific feedback takes effort.
The best code review skills address multiple challenges simultaneously.
The simplest approach: generate a summary of changes to accelerate understanding.
# /pr-review
Generate a comprehensive summary of pull request changes.
## Process
1. Run `git diff main...HEAD` to see all changes
2. Categorize changes by:
- New features
- Bug fixes
- Refactoring
- Configuration
- Tests
3. For each file changed:
- Summarize what changed
- Note any concerns
4. Provide overall assessment
## Output Format
### Summary
One-paragraph overview of what this PR accomplishes.
### Changes by Category
**Features:**
- [List new capabilities added]
**Fixes:**
- [List bugs addressed]
**Refactoring:**
- [List structural improvements]
### File-by-File Analysis
[Table of files with change descriptions]
### Concerns
[Any issues spotted during review]
### Verdict
[APPROVE / REQUEST_CHANGES / NEEDS_DISCUSSION]
Quick triage of PRs. Understanding what changed before deep review. Small teams without formal review processes.
### Summary
This PR adds user authentication using JWT tokens, including login/logout
endpoints and middleware for protected routes.
### Changes by Category
**Features:**
- JWT-based authentication flow
- Login endpoint with password validation
- Logout endpoint with token invalidation
- Auth middleware for protected routes
**Tests:**
- Unit tests for token generation
- Integration tests for auth endpoints
### File-by-File Analysis
| File | Changes | Notes |
|------|---------|-------|
| src/auth/jwt.ts | New file | Token generation, validation |
| src/auth/middleware.ts | New file | Route protection |
| src/routes/auth.ts | New file | Login, logout endpoints |
| src/routes/index.ts | Modified | Added auth routes |
### Concerns
- Password hashing uses bcrypt with cost factor 10 (consider 12 for production)
- No rate limiting on login endpoint (potential brute force vulnerability)
### Verdict
REQUEST_CHANGES - Security concerns should be addressed before merge.
A focused approach that examines code specifically for security vulnerabilities.
# /security-review
Analyze code changes for security vulnerabilities.
## Vulnerability Categories
### A1: Injection
- SQL injection
- Command injection
- LDAP injection
- XPath injection
### A2: Broken Authentication
- Weak password requirements
- Session management issues
- Credential exposure
### A3: Sensitive Data Exposure
- Unencrypted data transmission
- Weak cryptography
- Sensitive data in logs
### A4: XML External Entities (XXE)
- Unsafe XML parsing
### A5: Broken Access Control
- Missing authorization checks
- IDOR vulnerabilities
- Path traversal
### A6: Security Misconfiguration
- Default credentials
- Unnecessary features enabled
- Missing security headers
### A7: Cross-Site Scripting (XSS)
- Reflected XSS
- Stored XSS
- DOM-based XSS
### A8: Insecure Deserialization
- Unsafe object creation from data
### A9: Using Components with Known Vulnerabilities
- Outdated dependencies
- Vulnerable libraries
### A10: Insufficient Logging & Monitoring
- Missing audit logs
- Inadequate error handling
## Process
1. Get list of changed files
2. For each file, check against vulnerability categories
3. Identify specific vulnerability patterns in code
4. Assign severity: Critical, High, Medium, Low
5. Provide remediation guidance
## Output Format
### Executive Summary
[Severity counts and overall risk assessment]
### Critical Findings
[Immediate blockers]
### Detailed Findings
#### [Finding Title]
- **Severity**: [Critical/High/Medium/Low]
- **Category**: [OWASP category]
- **File**: [path:line]
- **Issue**: [Description]
- **Remediation**: [How to fix]
- **Code Example**: [Before/After]
Security-conscious teams. Financial, healthcare, or government applications. Pre-production security gates.
#### SQL Injection in User Search
- **Severity**: Critical
- **Category**: A1 - Injection
- **File**: src/users/search.ts:47
- **Issue**: User input directly concatenated into SQL query
**Vulnerable Code:**
```typescript
const query = `SELECT * FROM users WHERE name LIKE '%${searchTerm}%'`;
Remediation: Use parameterized queries
Fixed Code:
const query = `SELECT * FROM users WHERE name LIKE ?`;
const result = await db.query(query, [`%${searchTerm}%`]);
## Skill 3: architecture-review (The Big Picture)
Steps back from individual lines to evaluate structural decisions.
### Core Approach
```markdown
# /architecture-review
Evaluate structural and design decisions in code changes.
## Evaluation Dimensions
### Separation of Concerns
- Are responsibilities clearly divided?
- Is business logic separated from infrastructure?
- Are layers properly isolated?
### Coupling & Cohesion
- Are modules tightly coupled?
- Do classes have single responsibilities?
- Are dependencies explicit and minimal?
### Abstraction Quality
- Are interfaces well-defined?
- Is implementation hidden appropriately?
- Are abstractions at the right level?
### Pattern Application
- Are design patterns used appropriately?
- Are patterns consistently applied?
- Are patterns overcomplicated for the use case?
### Scalability Considerations
- Will this approach work at 10x scale?
- Are there obvious bottlenecks?
- Is horizontal scaling possible?
### Testability
- Can units be tested in isolation?
- Are dependencies injectable?
- Is the code deterministic?
## Process
1. Map the changed files to architectural layers
2. Identify new abstractions or pattern applications
3. Evaluate against each dimension
4. Consider future evolution of this code
5. Provide architectural guidance
## Output Format
### Architecture Overview
[How this change fits into overall architecture]
### Design Decisions
[Key decisions made in this PR]
### Evaluation
| Dimension | Rating | Notes |
|-----------|--------|-------|
| Separation of Concerns | Good/Fair/Poor | ... |
| ... | ... | ... |
### Recommendations
[Structural improvements to consider]
### Future Considerations
[How this design might need to evolve]
Large feature additions. New team members' PRs. Periodic deep reviews. Establishing patterns for new projects.
### Architecture Overview
This PR introduces a new notification service that sits between the user
service and external notification providers (email, SMS, push). The design
follows a hexagonal architecture pattern.
### Design Decisions
1. **NotificationPort interface**: Abstracts notification sending
2. **Provider adapters**: Separate implementations for each channel
3. **Template system**: Decouples message content from delivery
### Evaluation
| Dimension | Rating | Notes |
|-----------|--------|-------|
| Separation of Concerns | Good | Clear boundaries between domain and infrastructure |
| Coupling | Good | Adapters only depend on ports, not implementations |
| Abstraction Quality | Fair | Template system could be more flexible |
| Testability | Good | All dependencies injectable |
### Recommendations
1. Consider event-driven architecture for notification triggering rather
than direct calls. This would improve resilience and enable audit logging.
2. The template system currently uses string interpolation. Consider a
proper template engine for complex notifications.
### Future Considerations
If notification volume increases, this synchronous approach may need to
evolve into a queue-based system. The current adapter pattern will make
this transition easier.
Checks code against your team's specific standards and conventions.
# /standards-review
Verify code changes comply with team standards.
## Our Standards
### Naming Conventions
- Components: PascalCase
- Functions: camelCase
- Constants: UPPER_SNAKE_CASE
- Files: kebab-case
### File Organization
- One component per file
- Co-located tests (*`.test.ts`)
- Index files for public exports
### Error Handling
- Always use typed errors
- Never swallow exceptions
- Log errors with context
### Documentation
- Public APIs require JSDoc
- Complex logic requires inline comments
- README for each major feature
### Testing
- Unit test coverage > 80%
- Integration tests for API endpoints
- E2E tests for critical paths
### Git
- Conventional commit messages
- Squash merge to main
- Feature branches from main
## Process
1. Load team standards (above)
2. Check each changed file against applicable standards
3. Note deviations with severity
4. Provide specific guidance for fixes
## Output Format
### Compliance Summary
[X of Y standards checked, Z violations found]
### Violations
| Standard | File | Line | Issue | Severity |
|----------|------|------|-------|----------|
| ... | ... | ... | ... | ... |
### Commendations
[Where the code exemplifies our standards]
### Action Items
[Prioritized list of fixes needed]
Teams with documented coding standards. Enterprise environments. Open source projects needing contribution consistency.
### Compliance Summary
12 standards checked, 3 violations found.
### Violations
| Standard | File | Line | Issue | Severity |
|----------|------|------|-------|----------|
| Naming | UserCard.tsx | 1 | File should be `user-card.tsx` | Medium |
| Testing | user-service.ts | - | No test file found | High |
| Docs | api/users.ts | 12 | Public function missing JSDoc | Medium |
### Commendations
- Excellent error handling in `auth-middleware.ts` with proper error types
- Consistent use of conventional commits in recent history
### Action Items
1. **High**: Add tests for user-service.ts (required for merge)
2. **Medium**: Rename UserCard.tsx to user-card.tsx
3. **Medium**: Add JSDoc to getUserById function
Integrates multiple review perspectives into a single workflow.
# /full-review
Comprehensive code review covering all dimensions.
## Review Phases
### Phase 1: Quick Scan (2 min)
- What does this PR accomplish?
- How big is the change?
- Which areas of the codebase are affected?
### Phase 2: Security Check (5 min)
- Run security-focused review
- Flag any blockers immediately
### Phase 3: Logic Review (10 min)
- Read through the code carefully
- Check for bugs, edge cases
- Verify error handling
- Assess performance implications
### Phase 4: Standards Check (3 min)
- Verify naming, formatting
- Check test coverage
- Validate documentation
### Phase 5: Architecture Assessment (5 min)
- Does this fit the existing architecture?
- Are there concerning structural decisions?
- How will this evolve?
### Phase 6: Synthesis (5 min)
- Combine findings
- Prioritize feedback
- Make approval decision
## Output Format
### Executive Summary
[1-2 sentence overall assessment]
### Review Stats
- Files Changed: X
- Lines Added: Y
- Lines Removed: Z
- Test Coverage: A%
- Review Time: ~30 min
### Must Fix (Blockers)
[Issues that must be resolved before merge]
### Should Fix (Important)
[Issues that should be addressed, could be follow-up PR]
### Could Fix (Suggestions)
[Improvements to consider, not required]
### Positive Feedback
[What's done well in this PR]
### Decision
[APPROVE / REQUEST_CHANGES / NEEDS_DISCUSSION]
Reason: [Brief explanation]
Important PRs (new features, security-sensitive changes). Periodic deep reviews. Training reviewers on what to look for.
| Scenario | Recommended Skill |
|---|---|
| Quick PR triage | pr-review |
| Security-sensitive code | security-review |
| New feature development | architecture-review |
| Consistent team standards | team-standards-review |
| Important releases | comprehensive-review |
| Small bug fixes | pr-review |
| New team member PRs | team-standards-review |
| External contributions | comprehensive-review |
Skills aren't mutually exclusive. Effective workflows often chain them:
## Tiered Review Workflow
### Tier 1: All PRs
Run /pr-review for quick summary and obvious issues.
### Tier 2: Medium PRs (50+ lines)
Add /team-standards-review for consistency.
### Tier 3: Large PRs (200+ lines)
Add /architecture-review for structural assessment.
### Tier 4: Security PRs
Add /security-review regardless of size.
### Tier 5: Release PRs
Run /full-review for comprehensive coverage.
These skills provide templates. Customize them with:
Make reviews part of your Git hooks or CI:
# Pre-push hook
if [ "$branch" != "main" ]; then
claude /pr-review
fi
Monitor how reviews improve quality:
Not every PR needs deep review. Establish guidelines:
Code review is too important to do inconsistently. These five skills offer different lenses on the same goal: catching issues before they reach production and improving code quality over time.
Start with the skill that matches your biggest pain point:
The best teams combine these approaches, applying the right level of scrutiny to each change. Claude Code skills make that combination practical, not aspirational.
Want to improve other parts of your development workflow? Check out Git Workflow Skills for commit and branching automation, or explore Testing Skills Comparison for automated quality assurance.
This skill provides a structured workflow for guiding users through collaborative document creation. Act as an active guide, walking users through three stages: Context Gathering, Refinement & Structu