skills/software-development/code-review/SKILL.md

---
name: code-review
description: Guidelines for performing thorough code reviews with security and quality focus
---

# Code Review Skill

Use this skill when reviewing code changes, pull requests, or auditing existing code.

## Review Checklist

### 1. Security First
- [ ] No hardcoded secrets, API keys, or credentials
- [ ] Input validation on all user-provided data
- [ ] SQL queries use parameterized statements (no string concatenation)
- [ ] File operations validate paths (no path traversal)
- [ ] Authentication/authorization checks present where needed

### 2. Error Handling
- [ ] All external calls (API, DB, file) have try/catch
- [ ] Errors are logged with context (but no sensitive data)
- [ ] User-facing errors are helpful but don't leak internals
- [ ] Resources are cleaned up in finally blocks or context managers

### 3. Code Quality
- [ ] Functions do one thing and are reasonably sized (<50 lines ideal)
- [ ] Variable names are descriptive (no single letters except loops)
- [ ] No commented-out code left behind
- [ ] Complex logic has explanatory comments
- [ ] No duplicate code (DRY principle)

### 4. Testing Considerations
- [ ] Edge cases handled (empty inputs, nulls, boundaries)
- [ ] Happy path and error paths both work
- [ ] New code has corresponding tests (if test suite exists)

## Review Response Format

When providing review feedback, structure it as:

```
## Summary
[1-2 sentence overall assessment]

## Critical Issues (Must Fix)
- Issue 1: [description + suggested fix]
- Issue 2: ...

## Suggestions (Nice to Have)
- Suggestion 1: [description]

## Questions
- [Any clarifying questions about intent]
```

## Common Patterns to Flag

### Python
```python
# Bad: SQL injection risk
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")

# Good: Parameterized query
cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))
```

### JavaScript
```javascript
// Bad: XSS risk
element.innerHTML = userInput;

// Good: Safe text content
element.textContent = userInput;
```

## Tone Guidelines

- Be constructive, not critical
- Explain *why* something is an issue, not just *what*
- Offer solutions, not just problems
- Acknowledge good patterns you see
fix: restore all removed bundled skills + fix skills sync system - Restored 21 skills removed in commits 757d012 and 740dd92: accelerate, audiocraft, code-review, faiss, flash-attention, gguf, grpo-rl-training, guidance, llava, nemo-curator, obliteratus, peft, pytorch-fsdp, pytorch-lightning, simpo, slime, stable-diffusion, tensorrt-llm, torchtitan, trl-fine-tuning, whisper - Rewrote sync_skills() with proper update semantics: * New skills (not in manifest): copied to user dir * Existing skills (in manifest + on disk): updated via hash comparison * User-deleted skills (in manifest, not on disk): respected, not re-added * Stale manifest entries (removed from bundled): cleaned from manifest - Added sync_skills() to CLI startup (cmd_chat) and gateway startup (start_gateway) — previously only ran during 'hermes update' - Updated cmd_update output to show new/updated/cleaned counts - Rewrote tests: 20 tests covering manifest CRUD, dir hashing, fresh install, user deletion respect, update detection, stale cleanup, and name collision handling 75 bundled skills total. 2002 tests pass. 2026-03-06 15:57:12 -08:00			`---`
			`name: code-review`
			`description: Guidelines for performing thorough code reviews with security and quality focus`
			`---`

			`# Code Review Skill`

			`Use this skill when reviewing code changes, pull requests, or auditing existing code.`

			`## Review Checklist`

			`### 1. Security First`
			`- [ ] No hardcoded secrets, API keys, or credentials`
			`- [ ] Input validation on all user-provided data`
			`- [ ] SQL queries use parameterized statements (no string concatenation)`
			`- [ ] File operations validate paths (no path traversal)`
			`- [ ] Authentication/authorization checks present where needed`

			`### 2. Error Handling`
			`- [ ] All external calls (API, DB, file) have try/catch`
			`- [ ] Errors are logged with context (but no sensitive data)`
			`- [ ] User-facing errors are helpful but don't leak internals`
			`- [ ] Resources are cleaned up in finally blocks or context managers`

			`### 3. Code Quality`
			`- [ ] Functions do one thing and are reasonably sized (<50 lines ideal)`
			`- [ ] Variable names are descriptive (no single letters except loops)`
			`- [ ] No commented-out code left behind`
			`- [ ] Complex logic has explanatory comments`
			`- [ ] No duplicate code (DRY principle)`

			`### 4. Testing Considerations`
			`- [ ] Edge cases handled (empty inputs, nulls, boundaries)`
			`- [ ] Happy path and error paths both work`
			`- [ ] New code has corresponding tests (if test suite exists)`

			`## Review Response Format`

			`When providing review feedback, structure it as:`

			```
			`## Summary`
			`[1-2 sentence overall assessment]`

			`## Critical Issues (Must Fix)`
			`- Issue 1: [description + suggested fix]`
			`- Issue 2: ...`

			`## Suggestions (Nice to Have)`
			`- Suggestion 1: [description]`

			`## Questions`
			`- [Any clarifying questions about intent]`
			```

			`## Common Patterns to Flag`

			`### Python`
			```python
			`# Bad: SQL injection risk`
			`cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")`

			`# Good: Parameterized query`
			`cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))`
			```

			`### JavaScript`
			```javascript
			`// Bad: XSS risk`
			`element.innerHTML = userInput;`

			`// Good: Safe text content`
			`element.textContent = userInput;`
			```

			`## Tone Guidelines`

			`- Be constructive, not critical`
			`- Explain why something is an issue, not just what`
			`- Offer solutions, not just problems`
			`- Acknowledge good patterns you see`