280+ automated code review checks. Free. Local. Privacy-first. Open-source alternative to CodeRabbit.
$ claude "review PR 42"
## Code Review: PR #42 — Add user authentication
Critical (2): SQL injection in auth.ts:45, weak crypto in crypto.ts:12
High (3): IDOR in user.ts:78, N+1 query in data.ts:23, XSS in Form.tsx:156
Medium (5): DRY violations, missing error handling...
Risk Level: HIGH — 2 critical issues must be fixed before merge.
A skill for Claude Code that enables automated, comprehensive code review with 280+ checks across 15 categories:
- Security — OWASP Top 10 + extended security checks
- Bugs & Logic — Null handling, async issues, edge cases
- Performance — Database, API, frontend, algorithms
- Code Quality — SOLID principles, maintainability, readability
- Testing — Coverage, test quality, patterns
- Accessibility — WCAG compliance checks
- i18n — Internationalization issues
- Documentation — Missing or outdated docs
- DevOps — Health checks, observability, resilience
- Git — Version control best practices
- React/Next.js — Hooks, effects, component patterns
- TypeScript — Type safety, assertions, generics
- Python — Type hints, context managers, patterns
- Node.js/Express — Async handling, security middleware
- SQL/Database — Queries, indexes, ORM patterns
| Feature | CodeRabbit | Anthropic Official | This Skill |
|---|---|---|---|
| Price | $15-30/user/month | Free (API only) | Free (API only) |
| Checks | ~50 | No fixed list | 280+ |
| Approach | SaaS | 4 parallel agents | Checklist-based |
| Focus | General | CLAUDE.md compliance | Security, Perf, Quality |
| Confidence scoring | No | Yes (≥80) | Yes (≥70) |
| Git blame analysis | No | Yes | Yes |
| Language-specific | Limited | No | React, TS, Python, Node |
| Privacy | Their servers | Local | Local |
mkdir -p .claude/skills/code-review
curl -o .claude/skills/code-review/SKILL.md \
https://raw.githubusercontent.com/anthroos/claude-code-review-skill/main/SKILL.mdmkdir -p ~/.claude/skills/code-review
curl -o ~/.claude/skills/code-review/SKILL.md \
https://raw.githubusercontent.com/anthroos/claude-code-review-skill/main/SKILL.md- Claude Code CLI — Install here
- GitHub CLI (for PR reviews) —
brew install gh && gh auth login
claude "full code review"claude "review PR 123"claude "security review my changes"claude "check performance issues in PR 456"claude "review PR 123 and post comments"- Injection — SQL, NoSQL, Command, LDAP, XPath, Template, Header, Log injection
- Authentication — Brute-force, session fixation, weak tokens, MFA
- Data Exposure — Hardcoded secrets, secrets in logs, weak crypto, HTTPS
- XXE — XML external entities, unsafe deserialization
- Access Control — IDOR, privilege escalation, CORS, path traversal
- Misconfiguration — Debug mode, default creds, security headers
- XSS — Reflected, Stored, DOM-based, CSP, React unsafe patterns
- Deserialization — eval(), prototype pollution
- Dependencies — Outdated packages, typosquatting
- Additional — SSRF, CSRF, JWT issues, ReDoS, file uploads, race conditions
- Null/Undefined — Null dereference, missing checks, falsy confusion
- Type Issues — Coercion, implicit conversion, unsafe casts
- Async — Missing await, unhandled rejections, race conditions, deadlocks
- Loops — Off-by-one, infinite loops, mutation during iteration
- Edge Cases — Empty arrays, zero division, overflow, timezone, unicode
- State — Stale state, mutations, unnecessary re-renders
- Error Handling — Empty catch, generic handling, missing finally
- Resources — Leaks (memory, files, connections, timers)
- Business Logic — Wrong calculations, missing validation, rollback
- Database — N+1, missing indexes, SELECT *, pagination, pooling
- API/Network — Caching, over/under-fetching, compression, timeouts
- Frontend — Bundle size, re-renders, images, lazy loading
- Algorithms — O(n²), memoization, data structures
- Caching — Cache layer, invalidation, stampede
- Readability — Naming, magic numbers, long functions, nesting
- Maintainability — DRY, coupling, abstractions, dead code
- SOLID — All 5 principles
- API Design — Consistency, HTTP methods, status codes, versioning
- Configuration — Hardcoded config, missing defaults, secrets
- Coverage — Unit, integration, edge cases, error cases
- Quality — Flaky tests, speed, interdependence, assertions
- Patterns — Organization, naming, AAA, fixtures
- Alt text, labels, contrast, keyboard, ARIA, focus, headings
- Hardcoded strings, date/number/currency formatting, RTL, pluralization
- README, API docs, JSDoc, changelog, setup instructions, broken links, relative path errors
- Health checks, graceful shutdown, retry, circuit breaker, observability
- Large files, secrets in history, merge conflicts, commit messages
- useEffect deps, cleanup, stale closures, key props, memo overuse
- Any abuse, type assertions, missing return types, non-null assertions
- Mutable defaults, type hints, bare except, context managers
- Async errors, helmet, rate limiting, input validation
- Raw queries, missing indexes, N+1 in ORM, migrations
- Confidence scoring — Only reports issues with ≥70% confidence, reducing noise
- Git blame analysis — Skips pre-existing issues, focuses on new changes
- Auto-skip logic — Ignores draft PRs, trivial changes, docs-only updates
- Language detection — Applies React/TS/Python/Node checks when relevant
- False positive controls — Severity filters, focus modes, inline suppressions
## Code Review Summary
**Reviewed:** 5 files, 234 lines changed
**Risk Level:** High
### Critical Issues (2)
1. [src/api/auth.ts:45] **SQL Injection** — User input passed directly to query
→ Use parameterized queries: `db.query('SELECT * FROM users WHERE id = ?', [userId])`
2. [src/utils/crypto.ts:12] **Weak cryptography** — Using MD5 for password hashing
→ Use bcrypt or argon2 instead
### High Priority (3)
1. [src/services/user.ts:78] **IDOR vulnerability** — Missing ownership check
2. [src/api/data.ts:23] **N+1 query** — 50 queries in loop, use JOIN or batch
3. [src/components/Form.tsx:156] **XSS** — dangerouslySetInnerHTML with user content
### Medium Priority (5)
1. [src/utils/helpers.ts:34] **DRY violation** — Duplicate code in 3 places
2. [src/api/users.ts:89] **Missing error handling** — Empty catch block
...
### Good Practices
- Consistent error handling in services/
- Good TypeScript usage with proper types
- Comprehensive test coverage for auth moduleAdd to .git/hooks/pre-push:
#!/bin/bash
set -e
echo "Running AI code review..."
# Run review and capture output
REVIEW_OUTPUT=$(claude "quick review of staged changes, list only critical issues as bullet points" --print 2>&1) || true
# Check if critical issues were found
if echo "$REVIEW_OUTPUT" | grep -qi "critical\|security\|injection\|vulnerability"; then
echo ""
echo "⚠️ Potential critical issues found:"
echo "$REVIEW_OUTPUT"
echo ""
read -p "Push anyway? (y/n) " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
echo "Push cancelled."
exit 1
fi
fi
echo "✓ Review passed"name: AI Code Review
on: [pull_request]
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Claude Code
run: npm install -g @anthropic-ai/claude-code
- name: Install Review Skill
run: |
mkdir -p .claude/skills/code-review
curl -o .claude/skills/code-review/SKILL.md \
https://raw.githubusercontent.com/anthroos/claude-code-review-skill/main/SKILL.md
- name: Run Review
run: claude "review this PR, post comment with findings" --print
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}You can modify the SKILL.md to:
- Add company-specific rules
- Remove irrelevant checks (e.g., a11y for backend projects)
- Add framework-specific checks (Next.js, Django, etc.)
- Change severity levels
- Add custom patterns to detect
| Level | Action | Examples |
|---|---|---|
| Critical | Must fix before merge | SQL injection, hardcoded secrets |
| High | Should fix before merge | XSS, N+1 queries, auth bypass |
| Medium | Fix soon | DRY violations, missing tests |
| Low | Nice to have | Naming, comments |
The skill is designed to minimize false positives, but if you encounter them:
claude "review PR 123 --severity=high"claude "security review PR 123"
claude "review PR 123 --focus=bugs,security""ignore the N+1 warning in admin routes - it's intentional, low traffic"
"skip any type warnings in src/legacy/ - that's legacy code"
Add comments to suppress specific issues:
// @review-ok: parameterized query handled by ORM
const query = `SELECT * FROM users WHERE id = ${sanitizedId}`;# @review-ok: global cache intentional for performance
CACHE = {}If the same false positive keeps appearing, open an issue with:
- File and line number
- What was flagged
- Why it's a false positive
MIT — use freely, modify as needed.
Contributions welcome! See CONTRIBUTING.md for guidelines. Add new checks, improve detection patterns, or add language-specific rules.
Part of the Claude Code tools suite:
| Repo | Purpose |
|---|---|
| plaintext-crm | AI-native CRM in your IDE |
| claude-code-review-skill (this) | AI code review (280+ checks) |
| plaintext-pm | AI-native project management |
Built by @anthroos at WeLabelData for the Claude Code community.