name: local-review description: Code reviews of git changes without creating actual PR.

Code Review

Overview

Orchestrate a local code review by collecting diffs and producing a structured review with clear priorities and fixes. Keep everything self-contained in this skill file.

Workflow

1. Determine scope from the user request: uncommitted, against main, or last N commits.
2. Collect diffs with the git commands for the selected scope (see Diff Commands).
3. Review only the modified files and changes in scope.
4. Assess if the review will require significant fixes or is lengthy:
   1. If yes, write the review to a markdown file .agent.local/reviews/{dd-mm-yyyy}-{branch-name}.md
   2. Otherwise, just output your review in chat

Scope Rules

• "review my changes": review uncommitted changes (unstaged and staged).
• "review my changes against main": review main...HEAD (fall back to origin/main...HEAD if needed).
• "review my last N commits": review HEAD~N..HEAD with recent log context.

Diff Commands

Uncommitted changes (unstaged + staged):

• git status -sb
• git diff
• git diff --cached

Against main:

• git diff main...HEAD
• If main is missing locally: git diff origin/main...HEAD
• Optional context: git log --oneline main..HEAD

Last N commits:

• git log -n <N> --oneline
• git diff HEAD~<N>..HEAD

Output Rules

• Do not open or create PRs.
• Always store the review file; create .agent.local/reviews if missing.
• Use the current branch name from git rev-parse --abbrev-ref HEAD, replacing / with - in the filename.
• Keep the output clear and structured. Avoid emojis.
• Include relevant code snippets for context (3-7 lines showing the issue).
• Reference specific CLAUDE.md or AGENTS.md files and quotes when applicable.

Review Checklist

• Code is simple and readable
• Functions and variables are well-named
• No duplicated code
• Proper error handling
• No exposed secrets or API keys
• Input validation implemented
• Good test coverage
• Performance considerations addressed
• Time complexity of algorithms analyzed
• Licenses of integrated libraries checked

Security Checks (CRITICAL)

• Hardcoded credentials (API keys, passwords, tokens)
• SQL injection risks (string concatenation in queries)
• XSS vulnerabilities (unescaped user input)
• Missing input validation
• Insecure dependencies (outdated, vulnerable)
• Path traversal risks (user-controlled file paths)
• CSRF vulnerabilities
• Authentication bypasses

Code Quality (HIGH)

• Large functions (>50 lines)
• Large files (>800 lines)
• Deep nesting (>4 levels)
• Missing error handling (try/catch)
• console.log statements
• Mutation patterns
• Missing tests for new code
• Code follows project guidelines

Performance (MEDIUM)

• Inefficient algorithms (O(n^2) when O(n log n) possible)
• Unnecessary re-renders in React
• Missing memoization
• Large bundle sizes
• Unoptimized images
• Missing caching
• N+1 queries

Best Practices (MEDIUM)

• Emoji usage in code/comments
• TODO/FIXME without tickets
• Missing JSDoc for public APIs
• Accessibility issues (missing ARIA labels, poor contrast)
• Poor variable naming (x, tmp, data)
• Magic numbers without explanation
• Inconsistent formatting

Review Output Format

For each issue:

[CRITICAL] Hardcoded API key
File: src/api/client.ts:42
Issue: API key exposed in source code
Fix: Move to environment variable

const apiKey = "sk-abc123";  // ❌ Bad
const apiKey = process.env.API_KEY;  // ✓ Good

Approval Criteria

• ✅ Approve: No CRITICAL or HIGH issues
• ⚠️ Warning: MEDIUM issues only (can merge with caution)
• ❌ Block: CRITICAL or HIGH issues found