Engineering ReviewQualityAutomation

Code Reviewer

Code review automation for TypeScript, JavaScript, Python, Go, Swift, Kotlin.

$skillfish add ~skills/code-reviewer

Real Examples Get Started Models & Context

Real Conversations

See how the Code Reviewer skill responds to actual requests. These are representative examples of what your AI agent will produce.

You

Can you review this Express route? It handles user login, creates a JWT, and queries Postgres. I'm worried about security and error handling.

Agent

Security Issues Found (2 critical, 1 medium):

[CRITICAL] Timing attack on password compare — Using user.password === hash instead of crypto.timingSafeEqual. Fix:

import { timingSafeEqual } from 'crypto';
const match = timingSafeEqual(Buffer.from(inputHash), Buffer.from(storedHash));

[CRITICAL] JWT secret not guarded — If JWT_SECRET is undefined, jwt.sign() silently uses 'undefined' as the secret. Add:

if (!process.env.JWT_SECRET) throw new Error('JWT_SECRET not set');

[MEDIUM] SQL injection risk — WHERE email = '${email}' is unsafe. Use parameterized queries:

pool.query('SELECT * FROM users WHERE email = $1', [email])

Error Handling:

Missing try/catch — any DB error will crash the process
Return 401 (not 400) on invalid credentials to avoid leaking whether the email exists

Style: Extract auth logic into a service layer — route handler should be <20 lines.

You

Review my Celery task that processes uploaded images — resizes and uploads to S3. Seeing 300MB+ memory spikes in prod on large files.

Agent

Root Cause of Memory Spikes:

You're loading the full file into memory with image_data = file.read() before passing to Pillow. A 20MB RAW upload decodes to a ~100MB bitmap, allocating ~300MB per worker.

Fix — stream with Pillow's lazy loading:

from PIL import Image
import io

def resize_image(s3_key: str, width: int, height: int):
    obj = s3.get_object(Bucket=BUCKET, Key=s3_key)
    with Image.open(obj['Body']) as img:
        img.thumbnail((width, height), Image.LANCZOS)
        buf = io.BytesIO()
        img.save(buf, format=img.format or 'JPEG', optimize=True)
        buf.seek(0)
        s3.upload_fileobj(buf, BUCKET, f'resized/{s3_key}')

Other issues found:

No @app.task(bind=True, max_retries=3) — transient S3 errors silently fail
Missing autospec=True in test mocks — won't catch signature drift
JPEG quality defaults to 75; make quality a task parameter for flexibility

Expected savings: ~85% memory reduction — Pillow decodes lazily, buffer holds only the resized output.

You

Review this Go middleware that does auth token validation, rate limiting (100 req/min per IP), and request logging. Is the rate limiter goroutine-safe?

Agent

Data Race — Critical:

Your map[string]*RateLimiter is read and written from concurrent goroutines without synchronization. This is an undefined-behavior data race detectable with go test -race:

// UNSAFE
if rl, ok := limiters[ip]; ok { ... }
limiters[ip] = newLimiter()

Fix — use a sync.RWMutex:

var (
    mu       sync.RWMutex
    limiters = make(map[string]*rate.Limiter)
)

func getLimiter(ip string) *rate.Limiter {
    mu.RLock()
    rl, ok := limiters[ip]
    mu.RUnlock()
    if !ok {
        mu.Lock()
        rl = rate.NewLimiter(rate.Every(time.Minute/100), 100)
        limiters[ip] = rl
        mu.Unlock()
    }
    return rl
}

Memory leak: The limiter map grows unbounded — add a cleanup ticker every 5 minutes evicting entries where time.Since(lastSeen) > 10*time.Minute.

Auth bug: You're not checking err from jwt.ParseWithClaims before using claims — nil dereference panic on a malformed token.

Logging: Log X-Request-ID alongside IP for distributed tracing support.

Get Started

How to install and use this skill in your preferred environment.

Skills are designed for AI coding agents (Claude Code, Cursor, Windsurf) and IDE-based workflows where the agent can read files, run scripts, and act on your codebase. Web-based AI can use the knowledge and frameworks, but won't have tool access.

Models & Context

Which AI models and context windows work best with this skill.

Recommended Models

Best

Claude Opus 4 Claude Sonnet 4 GPT-4.1 Gemini 2.5 Pro Grok 3 Kimi K2

Good

Claude Haiku 4.5 GPT-4.1 mini Gemini 2.5 Flash Grok 3 mini

Larger models produce more detailed, production-ready outputs.

Context Window

This skill's SKILL.md is typically 3–10 KB — fits in any modern context window.

8K Skill only

32K+ Skill + conversation

100K+ Skill + references + codebase

All current frontier models (Claude, GPT, Gemini) support 100K+ context. Use the full window for complex multi-service work.

Pro tips for best results

1

Be specific

Include numbers — users, budget, RPS — so the skill can size the architecture.

2

Share constraints

Compliance needs, team size, and existing stack all improve the output.

3

Iterate

Start with a high-level design, then ask follow-ups for IaC, cost analysis, or security review.

4

Combine skills

Pair with companion skills below for end-to-end coverage.

Ready to try Code Reviewer?

Install the skill and start getting expert-level guidance in your workflow — any agent, any IDE.

$skillfish add ~skills/code-reviewer

← Browse all 169 skills

Code Reviewer

Real Conversations

Get Started

Claude Code, OpenCode, or any CLI agent

Cursor, Windsurf, or IDE-based agents

Claude.ai, ChatGPT, Gemini, or any web AI

Models & Context

Recommended Models

Context Window

Pro tips for best results

Ready to try Code Reviewer?