code-review
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCode Review Skill
代码审查技能
You are performing a comprehensive code review on a diff. Your task is to analyze the changed code for security vulnerabilities, anti-patterns, and quality issues.
你将对代码差异执行全面审查。你的任务是分析变更代码中的安全漏洞、反模式和质量问题。
Input Model
输入模型
This skill expects a diff to be provided in context before invocation. The caller is responsible for generating the diff.
Example invocations:
- User pastes PR diff, then runs
/code-review - Agent runs , then invokes this skill
git diff HEAD~1 - CI tool provides diff content for review
If no diff is present in context, ask the user to provide one or offer to generate one (e.g., , ).
git diffgit diff main..HEAD调用此技能前,上下文需提供diff。调用方负责生成diff。
调用示例:
- 用户粘贴PR diff,然后运行
/code-review - Agent运行,然后调用此技能
git diff HEAD~1 - CI工具提供diff内容用于审查
如果上下文中没有diff,请要求用户提供,或者主动生成(例如:、)。
git diffgit diff main..HEADDomain Detection
领域检测
Auto-detect which checklists to apply based on directory paths in the diff:
| Directory | Domain | Checklist |
|---|---|---|
| Frontend | Read |
| Backend | Read |
| Backend | Read |
| Backend | Read |
| CLI/Go | Generic checks only |
| Config | Generic checks only |
If the diff spans multiple domains, load all relevant checklists.
根据diff中的目录路径自动检测应应用的检查清单:
| 目录 | 领域 | 检查清单 |
|---|---|---|
| 前端 | 读取 |
| 后端 | 读取 |
| 后端 | 读取 |
| 后端 | 读取 |
| CLI/Go | 仅通用检查 |
| 配置 | 仅通用检查 |
如果diff涉及多个领域,请加载所有相关检查清单。
Review Process
审查流程
Step 1: Parse the Diff
步骤1:解析Diff
Extract from the diff:
- List of changed files
- Changed lines (additions and modifications)
- Detected domains based on file paths
从diff中提取:
- 变更文件列表
- 变更行(新增和修改的内容)
- 根据文件路径检测到的领域
Step 2: Initialize the Review Document
步骤2:初始化审查文档
Create a review document using the temp-files pattern:
bash
SANITIZED_PATH=$(echo "$PWD" | tr '/' '-')
REPORT_DIR="/tmp/claude/${SANITIZED_PATH}/reviews"
mkdir -p "$REPORT_DIR"
TIMESTAMP=$(date +%Y%m%d-%H%M%S)
FILEPATH="${REPORT_DIR}/code-review-${TIMESTAMP}.md"Initialize with this schema:
markdown
undefined使用temp-files pattern创建审查文档:
bash
SANITIZED_PATH=$(echo "$PWD" | tr '/' '-')
REPORT_DIR="/tmp/claude/${SANITIZED_PATH}/reviews"
mkdir -p "$REPORT_DIR"
TIMESTAMP=$(date +%Y%m%d-%H%M%S)
FILEPATH="${REPORT_DIR}/code-review-${TIMESTAMP}.md"使用以下模板初始化:
markdown
undefinedCode Review Report
代码审查报告
Date: {current date}
Reviewer: Code Review Agent
Source: {e.g., "PR diff", "unstaged changes", "main..HEAD"}
Files Changed: {count}
Domains Detected: {list}
Status: In Progress
日期:{当前日期}
审查者:代码审查Agent
来源:{例如:"PR diff"、"未暂存变更"、"main..HEAD"}
变更文件数:{数量}
检测到的领域:{列表}
状态:进行中
Summary
摘要
| Category | Items Checked | Passed | Failed | Findings |
|---|---|---|---|---|
| Security | 0 | 0 | 0 | 0 |
| Code Quality | 0 | 0 | 0 | 0 |
| LLM Code Smells | 0 | 0 | 0 | 0 |
| Impact Analysis | 0 | 0 | 0 | 0 |
| Simplification | 0 | 0 | 0 | 0 |
| {domain-specific categories added based on detected domains} |
| 分类 | 检查项数量 | 通过 | 未通过 | 发现问题数 |
|---|---|---|---|---|
| 安全 | 0 | 0 | 0 | 0 |
| 代码质量 | 0 | 0 | 0 | 0 |
| LLM代码异味 | 0 | 0 | 0 | 0 |
| 影响分析 | 0 | 0 | 0 | 0 |
| 简化优化 | 0 | 0 | 0 | 0 |
| {根据检测到的领域添加特定分类} |
Detailed Findings
详细问题
{findings added here as review progresses}
undefined{审查过程中添加发现的问题}
undefinedStep 3: Review Changed Code
步骤3:审查变更代码
For EACH checklist item:
- Scope feedback to diff lines only - Only flag issues in the changed code
- Use file context - Read full file content to understand surrounding code
- Apply relevant checks - Use domain-appropriate checklist items
- Document findings - Record each violation found in changed code
Key principle: The diff is what gets reviewed. The rest of the file provides context to make that review accurate.
针对每一项检查清单:
- 仅针对diff行反馈 - 仅标记变更代码中的问题
- 使用文件上下文 - 读取完整文件内容以理解代码背景
- 应用相关检查 - 使用对应领域的检查清单项
- 记录问题 - 记录变更代码中发现的每一项违规
核心原则:仅审查diff内容,文件其余部分仅作为上下文帮助准确审查。
Step 4: Impact Analysis
步骤4:影响分析
Check if the diff might affect other parts of the codebase:
- Changed exports/interfaces - Search for usages elsewhere that may break
- Modified API signatures - Check for callers that need updating
- Altered shared utilities - Look for consumers that may be affected
- Config/schema changes - Find code that depends on old structure
Report any unaccounted-for impacts as findings with severity based on risk.
检查diff是否可能影响代码库的其他部分:
- 变更的导出/接口 - 搜索其他地方可能受影响的用法
- 修改的API签名 - 检查需要更新的调用方
- 更改的共享工具类 - 查找可能受影响的消费者
- 配置/ schema变更 - 寻找依赖旧结构的代码
将未考虑到的影响作为问题记录,并根据风险标记严重程度。
Step 5: Document Each Finding
步骤5:记录每个问题
For each issue found, add an entry:
markdown
undefined对于每个发现的问题,添加如下条目:
markdown
undefined[{CATEGORY}] {Item Name}
[{分类}] {检查项名称}
Status: FAIL
Severity: Critical | High | Medium | Low
Scope: Changed code | Impact analysis
状态:未通过
严重程度:Critical | High | Medium | Low
范围:变更代码 | 影响分析
Violation
违规详情
- File:
path/to/file.ext - Line(s): 42-48 (from diff)
- Code:
// problematic code snippet from diff- Issue: {explanation of what's wrong}
- Recommendation: {how to fix it}
undefined- 文件:
path/to/file.ext - 行号:42-48(来自diff)
- 代码:
// diff中的问题代码片段- 问题说明:{问题的详细解释}
- 修复建议:{修复方案}
undefinedStep 6: Finalize the Report
步骤6:完成报告
After completing all checks:
- Update the summary table with final counts
- Add an executive summary:
- Total issues found
- Critical issues requiring immediate attention
- Impact analysis results
- Recommended priority order for fixes
- Update status to "Complete"
- Inform the user of the report location
完成所有检查后:
- 更新摘要表格中的最终统计数据
- 添加执行摘要:
- 发现的问题总数
- 需要立即处理的Critical问题
- 影响分析结果
- 修复建议的优先级顺序
- 将状态更新为“已完成”
- 告知用户报告的位置
Generic Review Categories
通用审查分类
These checks apply to ALL changed code regardless of domain.
以下检查适用于所有领域的变更代码。
Category: Security Fundamentals
分类:安全基础
Hardcoded Secrets
硬编码密钥
Check diff for:
- API keys, passwords, secrets in changed code
- Patterns: ,
api_key,apiKey,password,secret,tokenwith literal valuescredential
Pass criteria: No hardcoded secrets in diff (should use environment variables)
Severity: Critical
检查diff中的:
- 变更代码中的API密钥、密码、密钥
- 模式:、
api_key、apiKey、password、secret、token搭配字面量值credential
通过标准:diff中无硬编码密钥(应使用环境变量)
严重程度:Critical
Eval and Dynamic Code Execution
Eval与动态代码执行
Check diff for:
- JavaScript/TypeScript: ,
eval(,new Function(,setTimeout("setInterval(" - Python: ,
eval(,exec(compile(
Pass criteria: No dynamic code execution in changed lines
Severity: Critical
检查diff中的:
- JavaScript/TypeScript:、
eval(、new Function(、setTimeout("setInterval(" - Python:、
eval(、exec(compile(
通过标准:变更行中无动态代码执行
严重程度:Critical
Command Injection
命令注入
Check diff for:
- Python: with
subprocess,shell=Trueos.system( - Go: with unsanitized input
exec.Command(
Pass criteria: No unvalidated user input in shell commands
Severity: Critical
检查diff中的:
- Python:搭配
subprocess、shell=Trueos.system( - Go:搭配未验证的输入
exec.Command(
通过标准:shell命令中无未验证的用户输入
严重程度:Critical
Category: Code Quality
分类:代码质量
Console/Print Statements
控制台/打印语句
Check diff for:
- JavaScript/TypeScript: ,
console.log,console.debugconsole.info - Python: statements
print(
Pass criteria: No debug statements in production code changes
Severity: Low
检查diff中的:
- JavaScript/TypeScript:、
console.log、console.debugconsole.info - Python:语句
print(
通过标准:生产代码变更中无调试语句
严重程度:Low
TODO/FIXME Comments
TODO/FIXME注释
Check diff for:
- ,
TODO:,FIXME:,HACK:commentsXXX:
Pass criteria: New TODOs should be tracked in issues
Severity: Low
检查diff中的:
- 、
TODO:、FIXME:、HACK:注释XXX:
通过标准:新的TODO应在issue中跟踪
严重程度:Low
Empty Catch/Except Blocks
空Catch/Except块
Check diff for:
- JavaScript/TypeScript: or
catch { }catch(e) { } - Python: or empty except blocks
except: pass
Pass criteria: All error handlers log or rethrow
Severity: High
检查diff中的:
- JavaScript/TypeScript:或
catch { }catch(e) { } - Python:或空except块
except: pass
通过标准:所有错误处理程序均记录或重新抛出异常
严重程度:High
Category: LLM Code Smells
分类:LLM代码异味
Placeholder Implementations
占位符实现
Check diff for:
- ,
TODO,PLACEHOLDER,IMPLEMENTNotImplemented - Functions that just ,
return None,return []return {}
Pass criteria: No placeholder implementations in production code
Severity: High
检查diff中的:
- 、
TODO、PLACEHOLDER、IMPLEMENTNotImplemented - 仅返回、
None、return []的函数return {}
通过标准:生产代码中无占位符实现
严重程度:High
Overly Generic Abstractions
过度通用的抽象
Check diff for:
- New classes/functions with names like ,
GenericHandler,BaseManagerAbstractFactory - Abstractions without clear reuse justification
Pass criteria: Abstractions are justified by actual reuse
Severity: Low
检查diff中的:
- 名称为、
GenericHandler、BaseManager的新类/函数AbstractFactory - 无明确复用理由的抽象
通过标准:抽象有实际复用的合理理由
严重程度:Low
Category: Impact Analysis
分类:影响分析
Breaking Changes
破坏性变更
Check if diff modifies:
- Exported functions/classes - search for imports elsewhere
- API endpoints - search for callers
- Shared types/interfaces - search for usages
- Config schemas - search for consumers
Pass criteria: All impacted code identified and accounted for
Severity: High (if unaccounted impacts found)
检查diff是否修改了:
- 导出的函数/类 - 搜索其他地方的导入
- API端点 - 搜索调用方
- 共享类型/接口 - 搜索用法
- 配置schema - 搜索消费者
通过标准:所有受影响的代码均已识别并处理
严重程度:High(如果发现未处理的影响)
Category: Simplification
分类:简化优化
Duplicate Logic
重复逻辑
Check diff for:
- Repeated code patterns (not just syntactic similarity)
- Copy-pasted code with minor variations
- Similar validation, transformation, or formatting logic
Pass criteria: No obvious duplication in changed code
Severity: Medium
Suggestion: Extract shared logic into reusable functions
检查diff中的:
- 重复的代码模式(不仅是语法相似)
- 复制粘贴后仅做微小修改的代码
- 相似的验证、转换或格式化逻辑
通过标准:变更代码中无明显重复
严重程度:Medium
建议:将共享逻辑提取为可复用函数
Unnecessary Complexity
不必要的复杂度
Check diff for:
- Deeply nested conditionals (more than 3 levels)
- Functions doing multiple unrelated things
- Overly complex control flow
Pass criteria: Code is reasonably flat and focused
Severity: Medium
Suggestion: Use early returns, extract helper functions
检查diff中的:
- 深度嵌套的条件语句(超过3层)
- 执行多个无关任务的函数
- 过于复杂的控制流
通过标准:代码结构合理、简洁且聚焦
严重程度:Medium
建议:使用提前返回、提取辅助函数
Verbose Patterns
冗余模式
Check diff for:
- Patterns that have simpler alternatives in the language
- Redundant null checks or type assertions
- Unnecessary intermediate variables
Pass criteria: Code uses idiomatic patterns
Severity: Low
Suggestion: Simplify using language built-ins
检查diff中的:
- 语言中有更简洁替代方案的模式
- 冗余的空值检查或类型断言
- 不必要的中间变量
通过标准:代码使用符合语言习惯的模式
严重程度:Low
建议:使用语言内置功能简化
Domain-Specific Review Items
领域特定审查项
Based on detected domains, read and apply the appropriate checklists:
- Frontend detected (): Read
designer/and apply those checks to changed codefrontend.md - Backend detected (,
server/,rag/): Readruntimes/and apply those checks to changed codebackend.md
根据检测到的领域,读取并应用相应的检查清单:
- 检测到前端():读取
designer/并将其检查项应用于变更代码frontend.md - 检测到后端(、
server/、rag/):读取runtimes/并将其检查项应用于变更代码backend.md
Final Summary Template
最终摘要模板
markdown
undefinedmarkdown
undefinedExecutive Summary
执行摘要
Review completed: {timestamp}
Total findings: {count}
审查完成时间:{时间戳}
问题总数:{数量}
Critical Issues (Must Fix)
Critical问题(必须修复)
- {issue 1}
- {issue 2}
- {问题1}
- {问题2}
Impact Analysis Results
影响分析结果
- {summary of any breaking changes or unaccounted impacts}
- {破坏性变更或未处理影响的摘要}
High Priority (Should Fix)
高优先级问题(应该修复)
- {issue 1}
- {issue 2}
- {问题1}
- {问题2}
Recommendations
总体建议
{Overall recommendations based on the changes reviewed}
---{基于审查变更的总体建议}
---Notes for the Agent
Agent注意事项
-
Scope to diff: Only flag issues in the changed lines. Don't review unchanged code.
-
Use context: Read full files to understand the changes, but feedback targets the diff only.
-
Check impacts: When changes touch exports, APIs, or shared code, search for affected consumers.
-
Be specific: Include file paths, line numbers (from diff), and code snippets for every finding.
-
Prioritize: Flag critical security issues immediately.
-
Provide solutions: Each finding should include a recommendation for how to fix it.
-
Update incrementally: Update the review document after each category, not at the end.
-
聚焦diff:仅标记变更行中的问题,不要审查未变更代码。
-
使用上下文:读取完整文件以理解变更,但反馈仅针对diff。
-
检查影响:当变更涉及导出、API或共享代码时,搜索受影响的消费者。
-
具体明确:每个问题都要包含文件路径、行号(来自diff)和代码片段。
-
优先级排序:立即标记Critical安全问题。
-
提供解决方案:每个问题都应包含修复建议。
-
增量更新:完成每个分类后更新审查文档,不要等到最后。