Reviewing Claude Configuration
Instructions
IMPORTANT: Use structured thinking throughout your review process. Plan your analysis before providing feedback. This improves accuracy and catches critical security issues.
Step 1: Detect File Type
<thinking>
Analyze the changed files:
1. Which .claude files were modified?
2. What file types? (CLAUDE.md, skills, agents, prompts, commands, settings)
3. Are there immediate security concerns?
4. What's the review scope (single file or multiple)?
</thinking>
Determine the primary file type(s) being reviewed:
Detection Rules:
- Agents: Changes to or
- Skills: Changes to files or skill support files (checklists, references, examples)
- CLAUDE.md: Changes to files (any location: project root, , or subdirectories)
- Prompts/Commands: Changes to or
- Settings: Changes to or
.claude/settings.local.json
If multiple types modified, review each with appropriate checklist.
Step 2: Execute Security Scan (ALWAYS)
<thinking>
Security first, regardless of file type:
1. Is settings.local.json committed to git?
2. Any hardcoded secrets (passwords, tokens, API keys)?
3. Are permissions appropriately scoped (if settings modified)?
4. Any suspicious patterns in changed files?
</thinking>
CRITICAL CHECKS (perform for ALL Claude config reviews):
Run these mental checks immediately:
If ANY security issue found: Flag as CRITICAL immediately, stop and report.
Consult
reference/security-patterns.md
for detailed security checks and detection commands.
Step 3: Load Appropriate Checklist
Based on detected file type, read and follow the relevant checklist:
- Agents → (YAML, tool access security, model selection, system prompts)
- Skills → (structure, YAML, progressive disclosure, quality)
- CLAUDE.md → (clarity, references, no duplication)
- Prompts/Commands → (purpose, session context, skill references)
- Settings → (security, permissions scoping)
The checklist provides:
- Multi-pass review strategy
- What to check and what to skip
- Structured thinking guidance
- Common issues and red flags
Step 4: Consult Reference Materials As Needed
<thinking>
When to load references:
1. Need to classify issue priority? → priority-framework.md
2. Security patterns unclear? → security-patterns.md
3. Claude Code requirements (YAML, tools, models, limits)? → claude-code-requirements.md
</thinking>
Load reference files only when needed for specific questions:
- Issue prioritization →
reference/priority-framework.md
- Security patterns →
reference/security-patterns.md
- Claude Code requirements →
reference/claude-code-requirements.md
Step 5: Document Findings
<thinking>
Before writing each comment:
1. Priority level? (Critical/Important/Suggested/Optional)
2. Security issue or quality issue?
3. What's the specific fix or recommendation?
4. What's the rationale (why does this matter)?
5. Is there a reference or documentation link?
</thinking>
This section defines the standard output format for ALL Claude config reviews.
Checklists reference this section rather than duplicating content.
CRITICAL: Use inline comments on specific lines, NOT one large summary comment.
Inline Comment Rules:
- Create separate comment for EACH specific issue on the exact line
- Do NOT create one large summary comment with all issues
- Do NOT update existing comments - always create new comments
- Include specific fix with code example when applicable
- Explain rationale (why this matters)
Comment Format:
**[file:line]** - [PRIORITY]: [Issue description]
[Specific fix with code example if applicable]
[Rationale explaining why this matters]
Reference: [documentation link if applicable]
Example inline comment:
**.claude/skills/my-skill/skill.md:1** - CRITICAL: Missing YAML frontmatter
Skills require YAML frontmatter to be discoverable by Claude Code:
\```yaml
---
name: my-skill
description: Clear description with activation triggers
---
\```
Without frontmatter, the skill won't be recognized by Claude Code.
Reference: Anthropic Skills Documentation
When to use inline vs summary:
- Inline comment: Specific issue, recommendation, or question (use format)
- Summary comment: Overall assessment, recommendation (APPROVE or REQUEST CHANGES)
Load the specific example relevant to your file type (on-demand only, not upfront):
- Agents →
examples/example-agent-review.md
- Skills →
examples/example-skill-review.md
- CLAUDE.md →
examples/example-claude-md-review.md
- Settings →
examples/example-settings-review.md
- Prompts →
examples/example-prompts-review.md
Core Principles
- Security first: Always check for committed settings, secrets, overly broad permissions
- Structure matters: YAML frontmatter, file references, progressive disclosure, line limits
- Quality counts: Clear instructions, examples, proper emphasis, structured thinking
- Token efficiency: Progressive disclosure, appropriate file sizes, on-demand loading
- Actionable feedback: Say what to do and why, not just what's wrong
- Constructive tone: Focus on code/config, not people; explain rationale