Conducts multi-axis code review to assess code quality across correctness, readability, architecture, security, and performance before merging changes.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versioncode-review-and-qualityExecute the skills CLI command in your project's root directory to begin installation:
Fetches code-review-and-quality from OWNER/REPO and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate code-review-and-quality. Access via /code-review-and-quality in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Use skill to generate boilerplate code, refactor legacy code, and write tests faster
Example
Generate React component with TypeScript types, styled-components, and comprehensive test suite in minutes
Reduce development time by 40-60% for repetitive coding tasks
Systematically review code for bugs, security issues, and style violations
Example
Analyze pull requests for common anti-patterns, suggest performance improvements, flag security vulnerabilities
Catch 70%+ of code issues before human review, improve code quality
Trace errors through stack traces and identify root causes faster
Example
Analyze error logs, suggest probable causes, recommend fixes with code examples
0
total installs
0
this week
0
upvotes
Run in your terminal
0
installs
0
this week
—
stars
| name | code-review-and-quality |
| description | Conducts multi-axis code review. Use before merging any change. Use when reviewing code written by yourself, another agent, or a human. Use when you need to assess code quality across multiple dimensions before it enters the main branch. |
Multi-dimensional code review with quality gates. Every change gets reviewed before merge — no exceptions. Review covers five axes: correctness, readability, architecture, security, and performance.
The approval standard: Approve a change when it definitely improves overall code health, even if it isn't perfect. Perfect code doesn't exist — the goal is continuous improvement. Don't block a change because it isn't exactly how you would have written it. If it improves the codebase and follows the project's conventions, approve it.
Every review evaluates code across these dimensions:
Does the code do what it claims to do?
Can another engineer (or agent) understand this code without the author explaining it?
temp, data, result without context)_unused), backwards-compat shims, or // removed comments?Does the change fit the system's design?
For detailed security guidance, see security-and-hardening. Does the change introduce vulnerabilities?
For detailed profiling and optimization, see performance-optimization. Does the change introduce performance problems?
Small, focused changes are easier to review, faster to merge, and safer to deploy. Target these sizes:
~100 lines changed → Good. Reviewable in one sitting.
~300 lines changed → Acceptable if it's a single logical change.
~1000 lines changed → Too large. Split it.
What counts as "one change": A single self-contained modification that addresses one thing, includes related tests, and keeps the system functional after submission. One part of a feature — not the whole feature.
Splitting strategies when a change is too large:
| Strategy | How | When |
|---|---|---|
| Stack | Submit a small change, start the next one based on it | Sequential dependencies |
| By file group | Separate changes for groups needing different reviewers | Cross-cutting concerns |
| Horizontal | Create shared code/stubs first, then consumers | Layered architecture |
| Vertical | Break into smaller full-stack slices of the feature | Feature work |
When large changes are acceptable: Complete file deletions and automated refactoring where the reviewer only needs to verify intent, not every line.
Separate refactoring from feature work. A change that refactors existing code and adds new behavior is two changes — submit them separately. Small cleanups (variable renaming) can be included at reviewer discretion.
Every change needs a description that stands alone in version control history.
First line: Short, imperative, standalone. "Delete the FizzBuzz RPC" not "Deleting the FizzBuzz RPC." Must be informative enough that someone searching history can understand the change without reading the diff.
Body: What is changing and why. Include context, decisions, and reasoning not visible in the code itself. Link to bug numbers, benchmark results, or design docs where relevant. Acknowledge approach shortcomings when they exist.
Anti-patterns: "Fix bug," "Fix build," "Add patch," "Moving code from A to B," "Phase 1," "Add convenience functions."
Before looking at code, understand the intent:
- What is this change trying to accomplish?
- What spec or task does it implement?
- What is the expected behavior change?
Tests reveal intent and coverage:
- Do tests exist for the change?
- Do they test behavior (not implementation details)?
- Are edge cases covered?
- Do tests have descriptive names?
- Would the tests catch a regression if the code changed?
Walk through the code with the five axes in mind:
For each file changed:
1. Correctness: Does this code do what the test says it should?
2. Readability: Can I understand this without help?
3. Architecture: Does this fit the system?
4. Security: Any vulnerabilities?
5. Performance: Any bottlenecks?
Label every comment with its severity so the author knows what's required vs optional:
| Prefix | Meaning | Author Action |
|---|---|---|
| (no prefix) | Required change | Must address before merge |
| Critical: | Blocks merge | Security vulnerability, data loss, broken functionality |
| Nit: | Minor, optional | Author may ignore — formatting, style preferences |
| Optional: / Consider: | Suggestion | Worth considering but not required |
| FYI | Informational only | No action needed — context for future reference |
This prevents authors from treating all feedback as mandatory and wasting time on optional suggestions.
Check the author's verification story:
- What tests were run?
- Did the build pass?
- Was the change tested manually?
- Are there screenshots for UI changes?
- Is there a before/after comparison?
Use different models for different review perspectives:
Model A writes the code
│
▼
Model B reviews for correctness and architecture
│
▼
Model A addresses the feedback
│
▼
Human makes the final call
This catches issues that a single model might miss — different models have different blind spots.
Example prompt for a review agent:
Review this code change for correctness, security, and adherence to
our project conventions. The spec says [X]. The change should [Y].
Flag any issues as Critical, Important, or Suggestion.
After any refactoring or implementation change, check for orphaned code:
Don't leave dead code lying around — it confuses future readers and agents. But don't silently delete things you're not sure about. When in doubt, ask.
DEAD CODE IDENTIFIED:
- formatLegacyDate() in src/utils/date.ts — replaced by formatDate()
- OldTaskCard component in src/components/ — replaced by TaskCard
- LEGACY_API_URL constant in src/config.ts — no remaining references
→ Safe to remove these?
Slow reviews block entire teams. The cost of context-switching to review is less than the waiting cost imposed on others.
When resolving review disputes, apply this hierarchy:
Don't accept "I'll clean it up later." Experience shows deferred cleanup rarely happens. Require cleanup before submission unless it's a genuine emergency. If surrounding issues can't be addressed in this change, require filing a bug with self-assignment.
When reviewing code — whether written by you, another agent, or a human:
Part of code review is dependency review:
Before adding any dependency:
npm audit)Rule: Prefer standard library and existing utilities over new dependencies. Every dependency is a liability.
## Review: [PR/Change title]
### Context
- [ ] I understand what this change does and why
### Correctness
- [ ] Change matches spec/task requirements
- [ ] Edge cases handled
- [ ] Error paths handled
- [ ] Tests cover the change adequately
### Readability
- [ ] Names are clear and consistent
- [ ] Logic is straightforward
- [ ] No unnecessary complexity
### Architecture
- [ ] Follows existing patterns
- [ ] No unnecessary coupling or dependencies
- [ ] Appropriate abstraction level
### Security
- [ ] No secrets in code
- [ ] Input validated at boundaries
- [ ] No injection vulnerabilities
- [ ] Auth checks in place
- [ ] External data sources treated as untrusted
### Performance
- [ ] No N+1 patterns
- [ ] No unbounded operations
- [ ] Pagination on list endpoints
### Verification
- [ ] Tests pass
- [ ] Build succeeds
- [ ] Manual verification done (if applicable)
### Verdict
- [ ] **Approve** — Ready to merge
- [ ] **Request changes** — Issues must be addressed
references/security-checklist.mdreferences/performance-checklist.md| Rationalization | Reality |
|---|---|
| "It works, that's good enough" | Working code that's unreadable, insecure, or architecturally wrong creates debt that compounds. |
| "I wrote it, so I know it's correct" | Authors are blind to their own assumptions. Every change benefits from another set of eyes. |
| "We'll clean it up later" | Later never comes. The review is the quality gate — use it. Require cleanup before merge, not after. |
| "AI-generated code is probably fine" | AI code needs more scrutiny, not less. It's confident and plausible, even when wrong. |
| "The tests pass, so it's good" | Tests are necessary but not sufficient. They don't catch architecture problems, security issues, or readability concerns. |
After review is complete:
Cut debugging time by 30-50%, especially for unfamiliar codebases
Get explanations, examples, and best practices for unfamiliar frameworks
Example
Understand Next.js app router, learn Rust ownership, grasp Kubernetes concepts with practical examples
Accelerate learning curve by 2-3x, reduce onboarding time for new tech stacks
Prerequisites
Time Estimate
15-30 minutes to install and see first useful output
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use coding skills for boilerplate generation, code reviews, refactoring legacy code, writing tests, learning new frameworks, and debugging non-critical issues. Best for repetitive tasks where errors are easy to catch.
✗ Avoid when
Avoid for production security features (auth, encryption, payment processing), complex business logic requiring deep domain knowledge, performance-critical algorithms, or when learning fundamentals is more valuable than speed.
shadcn/improve
wispbit-ai/skills
awesome-skills/code-review-skill
mattpocock/skills
asyrafhussin/agent-skills
flutter/skills
code-review-and-quality fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
We added code-review-and-quality from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Keeps context tight: code-review-and-quality is the kind of skill you can hand to a new teammate without a long onboarding doc.
code-review-and-quality has been reliable in day-to-day use. Documentation quality is above average for community skills.
I recommend code-review-and-quality for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Solid pick for teams standardizing on skills: code-review-and-quality is focused, and the summary matches what you get after install.
Registry listing for code-review-and-quality matched our evaluation — installs cleanly and behaves as described in the markdown.
code-review-and-quality fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
code-review-and-quality reduced setup friction for our internal harness; good balance of opinion and flexibility.
We added code-review-and-quality from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
showing 1-10 of 46