Agent skill

code-review

Use when reviewing code. Triggers: 'review my code', 'check my work', 'look over this', 'review PR #X', 'PR comments to address', 'reviewer said', 'address feedback', 'self-review before PR', 'audit this code'. For heavyweight multi-phase analysis, use advanced-code-review instead.

View SKILL.md on GitHub Repository
Stars 5
Forks 2

Install this agent skill to your Project

npx add-skill https://github.com/axiomantic/spellbook/tree/main/skills/code-review

SKILL.md

Code Review

Invariant Principles

  1. Evidence Over Assertion - Every finding needs file:line reference
  2. Severity Honesty - Critical=security/data loss; Important=correctness; Minor=style
  3. Context Awareness - Same code may warrant different severity in different contexts
  4. Respect Time - False positives erode trust; prioritize signal

Inputs

Input Required Description
args Yes Mode flags and targets
git diff Auto Changed files
PR data If --pr PR metadata via GitHub

Outputs

Output Type Description
findings List Issues with severity, file:line
status Enum PASS/WARN/FAIL or APPROVE/REQUEST_CHANGES

Mode Router

Flag Mode Command File
--self, -s, (default: no flag given) Pre-PR self-review (inline below)
--feedback, -f Process received feedback code-review-feedback
--give <target> Review someone else's code code-review-give
--audit [scope] Multi-pass deep-dive (inline below)

Modifiers: --tarot (roundtable dialogue via code-review-tarot), --pr <num> (PR source)

MCP Tool Integration

Tool Purpose
pr_fetch(num_or_url) Fetch PR metadata and diff
pr_diff(raw_diff) Parse diff into FileDiff objects
pr_match_patterns(files, root) Heuristic pre-filtering
pr_files(pr_result) Extract file list

MCP tools for read/analyze. gh CLI for write operations (posting reviews, replies). Fallback: MCP unavailable -> gh CLI -> local diff -> manual paste.

Self Mode (--self)

Workflow:

  1. Get diff: git diff $(git merge-base origin/main HEAD)..HEAD
  2. Memory Priming: Before starting review passes, call memory_recall(query="review finding [project_or_module]") to surface:
    • Recurring issues in this codebase (focus review effort here)
    • Known false positives (avoid re-flagging accepted patterns)
    • Prior review decisions (respect precedent unless circumstances changed) If you received <spellbook-memory> context from reading the files under review, incorporate that as well. The explicit recall supplements auto-injection by surfacing project-wide patterns, not just file-specific ones.
  3. Multi-pass: Logic > Integration > Security > Style
  4. Generate findings with severity, file:line, description

Example finding: src/auth/login.py:42 [Critical] Token written to log — data exposure risk

  1. Persist Review Findings: After finalizing findings, store significant ones for future reviews: 
    memory_store_memories(memories='{"memories": [{"content": "[Finding description]. Severity: [level]. Status: [confirmed/false_positive/deferred].", "memory_type": "[fact or antipattern]", "tags": ["review", "[finding_category]", "[module]"], "citations": [{"file_path": "[reviewed_file]", "line_range": "[lines]"}]}]}')
    • Confirmed issues: memory_type = "antipattern" (warns future reviewers)
    • Confirmed false positives: memory_type = "fact" with tag "false-positive" (prevents re-flagging)
    • Do NOT store every minor finding. Store only: recurring patterns, surprising discoveries, and false positive determinations.
  2. Gate: Critical=FAIL, Important=WARN, Minor only=PASS

Audit Mode (--audit [scope])

Scopes: (none)=branch changes, file.py, dir/, security, all

Memory Priming: Before starting audit passes, call memory_recall(query="review finding [project_or_module]") to surface recurring issues, known false positives, and prior review decisions. Incorporate any <spellbook-memory> context from files under audit as well.

Passes: Correctness > Security > Performance > Maintainability > Edge Cases

API Hallucination Detection (Correctness Pass):

During the Correctness pass, check for API hallucination patterns:

  • Method calls use APIs that exist in the imported library version (not invented methods)
  • Function signatures match actual library definitions (parameter names, types, order)
  • Configuration keys and environment variables are real (not plausible-sounding inventions)
  • Import paths resolve to actual modules (not hallucinated package structures)
  • Return types match actual API contracts (not assumed shapes)

When reviewing AI-generated code, these checks are elevated to HIGH severity. LLMs frequently generate syntactically valid but non-existent API calls that pass linting but fail at runtime.

Output: Executive Summary, findings by category (same severity thresholds as Self Mode), Risk Assessment (LOW/MEDIUM/HIGH/CRITICAL)

Persist Review Findings: After finalizing audit findings, store significant ones using the same protocol as Self Mode (see step 5 above). Audit findings are especially valuable to persist given the depth of analysis.

Self-Check

  • Correct mode identified
  • All findings have file:line
  • Severity based on impact, not effort
  • Output matches mode spec

<FINAL_EMPHASIS> Every finding without file:line is noise. Every severity inflated by effort is a lie. Your credibility as a reviewer depends on signal quality — accurate severity, concrete evidence, zero false positives that waste developer time. </FINAL_EMPHASIS>

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

axiomantic/spellbook

spellbook-auditing

Meta-audit skill for spellbook development. Spawns parallel subagents to factcheck docs, optimize instructions, find token savings, and identify MCP candidates. Produces actionable report.

5 2
Explore
axiomantic/spellbook

documentation-updates

Use after modifying library skills, library commands, or agents to ensure CHANGELOG, README, and docs are updated

5 2
Explore
axiomantic/spellbook

project-encyclopedia

[DEPRECATED] Use project-level AGENTS.md files instead. Previously used for first-session codebase onboarding and persistent glossary creation.

5 2
Explore
axiomantic/spellbook

reviewing-impl-plans

Use when reviewing implementation plans before execution. Triggers: 'is this plan solid', 'review the plan', 'check before I start building', 'anything missing from this plan', 'will this plan work', 'audit the implementation plan'. NOT for: reviewing design documents (use reviewing-design-docs) or creating plans (use writing-plans).

5 2
Explore
axiomantic/spellbook

session-resume

Session resume protocol and session repairs handling. Loaded when spellbook_session_init returns resume_available: true, or when session_init returns a repairs array. Triggers: 'resume', 'continue', 'where were we', session resume, session repairs.

5 2
Explore
axiomantic/spellbook

brainstorming

Use when exploring design approaches, generating ideas, or making architectural decisions. Triggers: 'explore options', 'what are the tradeoffs', 'how should I approach', 'let's think through', 'sketch out an approach', 'I need ideas for', 'how would you structure', 'what are my options'. Also invoked by develop when design decisions are needed.

5 2
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results