How do I install code-review-quality?

Run `npx skills add https://github.com/proffesor-for-testing/agentic-qe --skill code-review-quality` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does code-review-quality support?

code-review-quality works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is code-review-quality free to use?

Yes. code-review-quality is free to install and use. It is available from the open Skills registry published by proffesor-for-testing.

Productivity

code-review-quality▌

Name: code-review-quality
Availability: InStock
Author: proffesor-for-testing

proffesor-for-testing/agentic-qe · updated Apr 8, 2026

$npx skills add https://github.com/proffesor-for-testing/agentic-qe --skill code-review-quality

summary

Context-driven code reviews prioritizing quality, security, testability, and maintainability.

›Organizes feedback into four priority levels: blockers (must fix), major issues (should fix), minor improvements, and suggestions, with clear templates and rationale for each
›Covers five core review areas: logic correctness, security risks, test coverage, performance issues, and error handling; explicitly excludes style nitpicking and formatting
›Recommends reviewing code in chunks under 400

skill.md

Code Review Quality

<default_to_action> When reviewing code or establishing review practices:

PRIORITIZE feedback: 🔴 Blocker (must fix) → 🟡 Major → 🟢 Minor → 💡 Suggestion
FOCUS on: Bugs, security, testability, maintainability (not style preferences)
ASK questions over commands: "Have you considered...?" > "Change this to..."
PROVIDE context: Why this matters, not just what to change
LIMIT scope: Review < 400 lines at a time for effectiveness

Quick Review Checklist:

Logic: Does it work correctly? Edge cases handled?
Security: Input validation? Auth checks? Injection risks?
Testability: Can this be tested? Is it tested?
Maintainability: Clear naming? Single responsibility? DRY?
Performance: O(n²) loops? N+1 queries? Memory leaks?

Critical Success Factors:

Review the code, not the person
Catching bugs > nitpicking style
Fast feedback (< 24h) > thorough feedback </default_to_action>

Quick Reference Card

When to Use

PR code reviews
Pair programming feedback
Establishing team review standards
Mentoring developers

Feedback Priority Levels

Level	Icon	Meaning	Action
Blocker	🔴	Bug/security/crash	Must fix before merge
Major	🟡	Logic issue/test gap	Should fix before merge
Minor	🟢	Style/naming	Nice to fix
Suggestion	💡	Alternative approach	Consider for future

Review Scope Limits

Lines Changed	Recommendation
< 200	Single review session
200-400	Review in chunks
> 400	Request PR split

What to Focus On

✅ Review	❌ Skip
Logic correctness	Formatting (use linter)
Security risks	Naming preferences
Test coverage	Architecture debates
Performance issues	Style opinions
Error handling	Trivial changes

Feedback Templates

Blocker (Must Fix)

🔴 **BLOCKER: SQL Injection Risk**

This query is vulnerable to SQL injection:
```javascript
db.query(`SELECT * FROM users WHERE id = ${userId}`)

Fix: Use parameterized queries:

db.query('SELECT * FROM users WHERE id = ?', [userId])

Why: User input directly in SQL allows attackers to execute arbitrary queries.


### Major (Should Fix)
```markdown
🟡 **MAJOR: Missing Error Handling**

What happens if `fetchUser()` throws? The error bubbles up unhandled.

**Suggestion:** Add try/catch with appropriate error response:
```javascript
try {
  const user = await fetchUser(id);
  return user;
} catch (error) {
  logger.error('Failed to fetch user', { id, error });
  throw new NotFoundError('User not found');
}


### Minor (Nice to Fix)
```markdown
🟢 **minor:** Variable name could be clearer

`d` doesn't convey meaning. Consider `daysSinceLastLogin`.

Suggestion (Consider)

💡 **suggestion:** Consider extracting this to a helper

This validation logic appears in 3 places. A `validateEmail()` helper would reduce duplication. Not blocking, but might be worth a follow-up PR.

Review Questions to Ask

Logic

What happens when X is null/empty/negative?
Is there a race condition here?
What if the API call fails?

Security

Is user input validated/sanitized?
Are auth checks in place?
Any secrets or PII exposed?

Testability

How would you test this?
Are dependencies injectable?
Is there a test for the happy path? Edge cases?

Maintainability

Will the next developer understand this?
Is this doing too many things?
Is there duplication we could reduce?

Minimum Findings Enforcement

Reviews must meet a minimum weighted finding score of 3.0 (CRITICAL=3, HIGH=2, MEDIUM=1, LOW=0.5, INFORMATIONAL=0.25). If the initial review falls short, run the qe-devils-advocate agent as a meta-reviewer to find additional observations. Every review should have at least 3 actionable observations.

Agent-Assisted Reviews

// Comprehensive code review
await Task("Code Review", {
  prNumber: 123,
  checks: ['security', 'performance', 'testability', 'maintainability'],
  feedbackLevels: ['blocker', 'major', 'minor'],
  autoApprove: { maxBlockers: 0, maxMajor: 2 }
}, "qe-quality-analyzer");

// Security-focused review
await Task("Security Review", {
  prFiles: changedFiles,
  scanTypes: ['injection', 'auth', 'secrets', 'dependencies']
}, "qe-security-scanner");

// Test coverage review
await Task("Coverage Review", {
  prNumber: 123,
  requireNewTests: true,
  minCoverageDelta: 0
}, "qe-coverage-analyzer");

Agent Coordination Hints

Memory Namespace

aqe/code-review/
├── review-history/*     - Past review decisions
├── patterns/*           - Common issues by team/repo
├── feedback-templates/* - Reusable feedback
└── metrics/*            - Review turnaround time

Fleet Coordination

const reviewFleet = await FleetManager.coordinate({
  strategy: 'code-review',
  agents: [
    'qe-quality-analyzer',    // Logic, maintainability
    'qe-security-scanner',    // Security risks
    'qe-performance-tester',  // Performance issues
    'qe-coverage-analyzer'    // Test coverage
  ],
  topology: 'parallel'
});

Review Etiquette

✅ Do	❌ Don't
"Have you considered...?"	"This is wrong"
Explain why it matters	Just say "fix this"
Acknowledge good code	Only point out negatives
Suggest, don't demand	Be condescending
Review < 400 lines	Review 2000 lines at once

Related Skills

agentic-quality-engineering - Agent coordination
security-testing - Security review depth
refactoring-patterns - Maintainability patterns

Remember

Prioritize feedback: 🔴 Blocker → 🟡 Major → 🟢 Minor → 💡 Suggestion. Focus on bugs and security, not style. Ask questions, don't command. Review < 400 lines at a time. Fast feedback (< 24h) beats thorough feedback.

With Agents: Agents automate security, performance, and coverage checks, freeing human reviewers to focus on logic and design. Use agents for consistent, fast initial review.

Skill Composition

Security concerns → Compose with /security-testing for security-focused review
Coverage check → Run /qe-coverage-analysis on changed files
Ship decision → Feed review results into /qe-quality-assessment

Gotchas

Agent reviews >400 lines at once and misses issues — chunk reviews to 200-400 lines maximum
Nitpicking style while missing logic bugs is the #1 agent review failure — prioritize correctness over formatting
Agent approves code that compiles but has subtle race conditions — always check shared state and async patterns
Review comments without suggested fixes are unhelpful — always include a proposed alternative
Agent doesn't check if the PR actually solves the linked issue — verify the stated problem is actually fixed