code-review
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCode Review
代码审查
Overview
概述
Review code for security, correctness, and quality. Runs in isolated code-reviewer context with pre-loaded standards.
Announce at start: "I'm using the code-review skill to validate [files/feature]."
针对代码的安全性、正确性和质量进行审查。在预加载了标准的独立code-reviewer环境中运行。
开始时需告知: "我正在使用code-review技能验证[文件/功能]。"
The Process
审查流程
Step 1: Pre-Load Context (Main Agent)
步骤1:预加载上下文(主Agent)
Load standards BEFORE invoking review:
bash
Read: .opencode/context/core/standards/code-quality.md
Read: .opencode/context/core/standards/security-patterns.md触发审查前先加载标准:
bash
Read: .opencode/context/core/standards/code-quality.md
Read: .opencode/context/core/standards/security-patterns.mdStep 2: Invoke Review
步骤2:触发审查
bash
/code-review path/to/file.ts
/code-review src/auth/*.ts
/code-review $(git diff --name-only HEAD~1)bash
/code-review path/to/file.ts
/code-review src/auth/*.ts
/code-review $(git diff --name-only HEAD~1)Step 3: Analyze Report
步骤3:分析报告
Code-reviewer returns structured findings:
markdown
undefinedcode-reviewer会返回结构化的审查结果:
markdown
undefinedCode Review: Auth Service
代码审查:认证服务
🔴 CRITICAL (Must Fix)
🔴 严重问题(必须修复)
- SQL Injection Risk — src/db/query.ts:42
- Problem: Unparameterized query with user input
- Risk: Database compromise
- Fix:
diff
- db.query(`SELECT * FROM users WHERE id = ${userId}`) + db.query('SELECT * FROM users WHERE id = ?', [userId])
- SQL注入风险 — src/db/query.ts:42
- 问题:使用未参数化的用户输入查询
- 风险:数据库被攻陷
- 修复方案:
diff
- db.query(`SELECT * FROM users WHERE id = ${userId}`) + db.query('SELECT * FROM users WHERE id = ?', [userId])
🟠 HIGH (Correctness)
🟠 高优先级(正确性)
- Missing Error Handling — src/auth/service.ts:28
- Problem: Async function without try/catch
- Risk: Unhandled promise rejection
- Fix: Wrap in try/catch with proper logging
- 缺少错误处理 — src/auth/service.ts:28
- 问题:异步函数未添加try/catch
- 风险:未处理的Promise拒绝
- 修复方案:用try/catch包裹并添加适当日志
🟡 MEDIUM (Style)
🟡 中等优先级(风格)
- Naming Convention — src/auth/middleware.ts:15
- Problem: snake_case instead of camelCase
- Fix: Rename verify_token → verifyToken
- 命名规范问题 — src/auth/middleware.ts:15
- 问题:使用snake_case而非camelCase
- 修复方案:重命名verify_token → verifyToken
Summary
总结
Total Issues: 3 (1 Critical, 1 High, 1 Medium)
Recommendation: REQUEST CHANGES
undefined问题总数:3个(1个严重、1个高优先级、1个中等优先级)
建议:要求修改
undefinedStep 4: Take Action
步骤4:采取行动
If CRITICAL or HIGH issues:
- STOP—do not commit
- Fix issues using suggested diffs
- Re-run to verify
/code-review - Proceed only when clean
If only MEDIUM or LOW issues:
- Evaluate whether to fix now or later
- Apply quality improvements
- Safe to commit
If no issues:
- Commit with confidence
- Note positive patterns
若存在严重或高优先级问题:
- 停止操作——不要提交代码
- 使用建议的diff修复问题
- 重新运行验证
/code-review - 只有当问题全部解决后再继续
若仅存在中等或低优先级问题:
- 评估是否立即修复或延后处理
- 应用质量优化方案
- 可以安全提交
若没有问题:
- 放心提交代码
- 记录优秀的代码模式
Review Checks
审查检查项
🔴 CRITICAL (Security):
- SQL injection, XSS, command injection
- Hardcoded credentials or secrets
- Path traversal, auth bypass
🟠 HIGH (Correctness):
- Missing error handling
- Type mismatches
- Null/undefined gaps
- Logic errors, race conditions
🟡 MEDIUM (Maintainability):
- Naming violations
- Code duplication
- Poor organization
🟢 LOW (Suggestions):
- Performance optimizations
- Documentation improvements
🔴 严重问题(安全):
- SQL注入、XSS、命令注入
- 硬编码凭证或密钥
- 路径遍历、认证绕过
🟠 高优先级(正确性):
- 缺少错误处理
- 类型不匹配
- Null/undefined漏洞
- 逻辑错误、竞态条件
🟡 中等优先级(可维护性):
- 命名违规
- 代码重复
- 结构混乱
🟢 低优先级(建议):
- 性能优化
- 文档改进
Error Handling
错误处理
Review fails:
- Ensure context files pre-loaded
Too many findings:
- Fix CRITICAL first, then re-review
Unclear findings:
- Request clarification in report
审查失败:
- 确保已预加载上下文文件
审查结果过多:
- 先修复严重问题,再重新审查
审查结果不清晰:
- 在报告中请求澄清
Red Flags
警示信号
If you think any of these, STOP and re-read this skill:
- "The code looks fine, a review is overkill"
- "I wrote it, I know it's correct"
- "We're in a hurry, we can review later"
- "It's a small change, no security risk"
如果你有以下想法,请立即停止并重新阅读本技能说明:
- "代码看起来没问题,审查没必要"
- "是我写的,我知道它是对的"
- "我们赶时间,之后再审查"
- "只是小改动,没有安全风险"
Common Rationalizations
常见自我辩解
| Excuse | Reality |
|---|---|
| "I just wrote it so I know it's right" | The author is the worst reviewer. Fresh eyes catch what familiarity hides. |
| "It's a small change" | Security vulnerabilities are almost always in small, "obvious" changes. |
| "We can review after merging" | Post-merge review finds bugs in production. Pre-merge review finds them for free. |
| "There's no user input so no injection risk" | Internal data becomes user input when requirements change. Review now. |
| 借口 | 实际情况 |
|---|---|
| "我刚写的,我知道没问题" | 作者是最差的审查者。旁观者清,当局者迷。 |
| "只是小改动" | 安全漏洞几乎总是出现在看似“明显”的小改动中。 |
| "合并后再审查" | 合并后审查会在生产环境中发现漏洞,而预合并审查可以免费提前发现。 |
| "没有用户输入,所以没有注入风险" | 当需求变更时,内部数据会变成用户输入。现在就审查。 |
Remember
注意事项
- Pre-load standards BEFORE invoking review
- CRITICAL and HIGH issues BLOCK commits
- Apply suggested fixes with code diffs
- Re-review after fixing blocking issues
- Review does NOT modify code—only suggests changes
- Review does NOT run tests—use test-generation for that
- 触发审查前必须预加载标准
- 严重和高优先级问题会阻止代码提交
- 使用建议的diff修复问题
- 修复阻塞性问题后重新审查
- 审查不会修改代码——仅提供修改建议
- 审查不会运行测试——请使用test-generation技能
Related
相关技能
- context-discovery
- code-execution
- test-generation
Task: Review the following files: $ARGUMENTS
Instructions for code-reviewer subagent:
- Read all files in $ARGUMENTS
- Apply pre-loaded standards (code quality, security, conventions)
- Scan for: Security (HIGHEST PRIORITY) → Correctness → Style → Performance
- Structure findings by severity: CRITICAL → HIGH → MEDIUM → LOW
- For each finding: Problem + Risk + Suggested fix with diff
- Include positive observations
- Return recommendation: APPROVE | REQUEST CHANGES | COMMENT
- context-discovery
- code-execution
- test-generation
任务:审查以下文件:$ARGUMENTS
code-reviewer子Agent指令:
- 读取$ARGUMENTS中的所有文件
- 应用预加载的标准(代码质量、安全、规范)
- 按优先级扫描:安全(最高优先级)→ 正确性 → 风格 → 性能
- 按严重程度结构化结果:严重 → 高优先级 → 中等优先级 → 低优先级
- 每个结果需包含:问题描述 + 风险说明 + 带diff的建议修复方案
- 包含正面评价
- 返回建议:批准 | 要求修改 | 评论