Code Review Skill
Claude reviews your code like a senior engineer — catches bugs, suggests improvements, flags security issues.
What it does
The Code Review Skill turns Claude Code into a structured reviewer that works through correctness, security, performance, error handling, design, and style in that exact order. It writes feedback the way a principal engineer does — specific, tied to reasoning, with severity that actually matches the impact. No more 'looks good to me' on a diff that leaks a secret; no more five-paragraph nitpicks on a variable name.
What Claude does once this skill is installed
When you paste a diff or ask Claude Code to review a file or branch, it produces a review with six sections in a fixed order: correctness first (off-by-one, null safety, race conditions, error paths), then security (input validation, secrets in logs, auth at every layer, CSRF/SSRF/XSS), then performance (N+1 queries, hot paths, unbounded loops, missing pagination), then error handling (every thrown path accounted for, retries with backoff, no stack traces to users), then design (single responsibility, public API surface, tests), and finally style. Each issue comes with file, line, severity (blocker/high/medium/nit), what, why it matters, and a concrete suggested fix. The review ends with a one-paragraph summary and a verdict: approve, request changes, or needs discussion.
Who should use it
Solo developers who lack a reviewer. Tech leads who want consistent standards applied to junior PRs without spending twelve hours on review every week. Teams running async code review who want to catch the obvious issues before a human reads the diff. Anyone doing self-review before pushing a PR to main. Because the lens is language-agnostic, it works on any stack — Python, Go, TypeScript, Rust, Swift, Dart.
What it solves
Most AI code review is either too generous (everything looks fine) or too nitpicky (dozens of naming suggestions while missing the SQL injection on line 47). This skill fixes both sides: the structured review order forces Claude to catch the things that actually matter, and the severity taxonomy keeps nits from drowning blockers.
How to install
Which tool are you using?
Not sure? Claude.ai is the website. Claude Code is the command-line tool you install separately. Cursor is a code editor that reads .cursorrules.
- 01
Open your terminal
Terminal on Mac, or PowerShell / Command Prompt on Windows.
This skill works with any language and any stack. You do not need to be in a specific project to install it.
- 02
Start Claude Code
Launch Claude Code from any directory. Skills are global across all your projects:
terminalshellclaudeIf you see 'command not found', install Claude Code first: npm install -g @anthropic-ai/claude-code
- 03
Download the skill file
Click the 'Download Skill' button below to save code-review.md to your computer.
- 04
Install the skill
Add the skill to Claude Code (adjust the path if your download location is different):
terminalshellclaude skills add ~/Downloads/code-review.mdOn Windows: C:\Users\YourName\Downloads\code-review.md
- 05
Verify and test
List installed skills to confirm 'code-review' appears:
terminalshellclaude skills list - 06
Run your first review
Ask Claude to review a diff or a file. It will apply the review order (correctness → security → performance → error handling → design → style) and output issues with severity labels.
terminalshellclaude "Review the diff in this file against the code-review skill"Tip: pipe git diff directly: git diff main | claude "review this diff"
The claude skill file
Copy the full contents below, or download the file directly.
---name: code-reviewdescription: Use this skill when reviewing code, pull requests, or diffs. Activates a senior-engineer review lens covering correctness, security, performance, error handling, and maintainability.--- # Code Review Skill When reviewing code, act as a senior engineer with 15+ years of experience.Review in this exact order. Never skip ahead. Never mix sections. ## Review Order ### 1. Correctness- Does the change do what the PR description claims?- Off-by-one, null / undefined, and boundary conditions- Race conditions, re-entrancy, and concurrency safety- Error paths are handled, not swallowed- Happy path AND sad path are both covered ### 2. Security- Any user input reaching SQL, shell, filesystem, or network without validation- Secrets, API keys, tokens in code, logs, or error messages- Auth checks on every protected path — at every layer, not just the router- CSRF, SSRF, XSS, open redirect surfaces introduced or left open- Cryptography uses standard libraries; no custom crypto- Dependency additions reviewed for known CVEs ### 3. Performance- N+1 queries in data-access code- Unnecessary renders or large memoization boundaries- Allocations in hot paths (loops, renders, request handlers)- Unbounded loops, unbounded memory, unbounded response sizes- Missing pagination on list endpoints- Synchronous I/O on an async path ### 4. Error Handling- Every thrown path has an explicit catch or a documented propagation target- Errors carry enough context (code + message + correlation id) to debug- User-facing errors never leak stack traces or internals- Retries use backoff; no infinite retries without a circuit breaker- Fallback behavior is safe and predictable on failure ### 5. Design- Single responsibility per function and per module- No hidden global state or singletons creeping in- Public API surface is minimal and documented- Tests cover the new behavior (happy path, error path, edge cases)- Naming reflects intent, not implementation detail ### 6. Style- Dead code removed- Comments explain why, not what- Consistent with the rest of the codebase- Linter / formatter clean ## Output Format For each issue, produce:- **File** and approximate line number- **Severity**: blocker / high / medium / nit- **What** is wrong and **why** it matters (one sentence each)- **Suggested change** with a concrete before/after when helpful End the review with:- A one-paragraph summary of the change and overall risk- A clear verdict: approve / request changes / needs discussion Write every suggestion in the form "Consider X because Y" — never just "change this".Example output
What Claude does before and after you install this claude skill.
Claude says 'looks good!' or nitpicks style while missing a SQL injection two lines below. Zero useful feedback.
Claude flags the SQL injection as a blocker with the exact line, explains the attack, suggests parameterized queries, then continues to find a race condition and a missing null check.
Customization tips
Customize the order of checks for your domain. Security-first codebases might swap step 1 and 2. Frontend-heavy teams might add an accessibility step. If you use a specific severity taxonomy (e.g. P0/P1/P2), update the skill to use it so reviews integrate with your existing tooling.
Related resources
Senior Code Reviewer
Acts as a senior engineer reviewing your PR. Catches logic errors, security issues, and code smells.
TDD Skill
Test-driven development workflow. Write tests first, then implementation, with Claude guiding each step.
Git Commit Messages Skill
Generates conventional commit messages from your diff. Consistent, descriptive, team-ready.
Frequently asked questions
Does the skill work for any language?
Yes. The review lens is language-agnostic. It catches correctness, security, performance, and design issues regardless of stack. Add language-specific rules by editing code-review.md if you want.
Can it review a full pull request?
Yes. Paste the diff, or use git diff main...feature-branch | claude to pipe it in. For very large PRs, split by file or feature — quality degrades on 2000+ line diffs.
Does it replace human code review?
No. It catches a lot (often more than a tired reviewer) but a human still needs to verify business context and long-term architectural direction. Use it as your first-pass reviewer.
Can I scope the review to just security?
Yes. Ask Claude: 'Using the code-review skill, run only the Security section on this diff.' The skill is structured so individual sections can be invoked alone.
Will it suggest code changes or just flag issues?
Both. Every issue comes with a concrete suggested fix — often a before/after snippet — not just a description of what is wrong.
Want more like this?
Browse the full RohanKit library — free resources for Claude and Cursor.