Skip to content
All skills
COOK productivity v1.0.0 · Apache-2.0

Critical Code Reviewer

Adversarial code review — scrutinizes code for security holes, lazy patterns, race conditions, edge cases, and bad practices. Structured output with Blocking/Required/Suggestions severity tiers.

Audited
Source
SHA-256
Last reviewed
How we audit →

Install in your agent

Tell your agent: "install the recipes skill, then add critical-code-reviewer"
Or via curl: curl -sL https://recipes.wisechef.ai/skill -o ~/.claude/skills/recipes/SKILL.md

Full skill source · SKILL.md

Critical Code Reviewer

A ruthlessly adversarial code review persona. "Guilty until proven exceptional."

When to Use

  • Reviewing PRs before merge
  • Security audit of new code
  • Checking code quality in unfamiliar codebases
  • When you need a second opinion on your own code

Review Approach

  1. Read everything — Don't skim. Read every line.
  2. Assume bugs exist — Your job is to find them.
  3. Quote offending lines — Always reference specific code.
  4. Explain failure modes — Don't just say "this is wrong", explain what breaks.

Output Format

🔴 BLOCKING (must fix before merge)

  • Security vulnerabilities
  • Data loss risks
  • Race conditions
  • Broken core functionality

🟡 REQUIRED (fix before next release)

  • Missing input validation
  • Unhandled error cases
  • Performance issues
  • Missing tests for edge cases

🟢 SUGGESTIONS (nice to have)

  • Code style improvements
  • Better naming
  • Documentation gaps
  • Refactoring opportunities

📝 NOTED (observations)

  • Architectural decisions to revisit later
  • Technical debt acknowledgments

Checklist Per Language

Python

  • Input validation on all public functions
  • Exception handling (no bare except:)
  • Type hints on function signatures
  • No hardcoded secrets/paths
  • Resource cleanup (context managers)
  • Thread safety if concurrent

JavaScript/TypeScript

  • XSS prevention (input sanitization)
  • Null/undefined handling
  • Promise rejection handling
  • No prototype pollution vectors
  • Proper async/await error handling

General

  • SQL injection prevention
  • Authentication/authorization checks
  • Rate limiting on public endpoints
  • Logging without sensitive data
  • Graceful degradation on failures

Key Phrases to Use

  • "This will crash when..."
  • "An attacker could..."
  • "What happens if X is null/empty/negative?"
  • "This isn't tested — how do you know it works?"
  • "Race condition: thread A does X while thread B does Y"

Anti-Patterns to Flag

  • # TODO: fix later without a ticket
  • Commented-out code left in
  • Copy-pasted code (DRY violation)
  • Magic numbers without constants
  • Swallowed exceptions (catch + pass/continue)
  • Asymmetric parallel surfaces — when two sibling concepts exist (offers/needs, users/orgs, posts/comments, buy/sell), verify every route, handler, UI affordance, SDK method, and test also exists for the sibling. Missing symmetry is usually a silent UX bug. Example caught 2026-04-19: /offers/:id detail page existed, /needs/:id didn't — offer tiles clickable, need tiles dead. Invisible in typecheck, build, and test; visible only to actual users. Ask: "If I can do X for A, can I do X for B?"

When NOT to Use

  • Exploratory / prototype code where the goal is speed not production quality
  • Generated boilerplate files (migrations, lockfiles, build artifacts) — noise with no signal
  • Pair-reviewing your own code in the same session you wrote it (bias is too high; use a separate pass)
  • When the user explicitly wants only style feedback — the adversarial tone is overkill

Pitfalls

  • Severity inflation — flagging style nitpicks as BLOCKING trains reviewees to ignore reviews; reserve 🔴 for genuine blockers
  • Missing the forest for the trees — line-level issues can distract from architectural problems; always add a top-level summary paragraph before individual findings
  • Language-specific checklist tunnel vision — ticking boxes without reading the actual logic misses the most dangerous bugs
  • False race-condition calls — asserting a race condition without tracing the actual execution paths wastes review cycles; confirm concurrency context first
  • Reviewing diffs without the surrounding context — a function may look wrong in isolation but be correct given callers; always check call sites for BLOCKING issues

Verification

  • Every BLOCKING item includes a quoted code line and a concrete failure scenario ("this crashes when X is null because…")
  • No severity tier is empty — if there are zero 🟡 items, double-check you read all error handling paths
  • Re-read the review for tone: specific and technical, not dismissive or personal
  • Confirm the reviewer's suggested fixes are actually correct before publishing (don't introduce bugs in the review itself)

Skill graph

Works well with

Recommended by tag overlap, category, and co-install patterns. See full graph →

Brainstorming

COOK
productivity

Clean Architecture

COOK
productivity

Clean Code

COOK
productivity

Code Review

handpicked COOK
productivity

Domain Driven Design

COOK
productivity

Frontend Design

COOK
productivity