Research: review

Cached research evidence for review (not authority).

Back to catalog page

review should be the canonical first-party review skill. The local spine comes from the repo-owned evidence-first review, simplification, and source/provenance audit workflows. External sources are useful design evidence for specialist lenses, but none should be vendored into skills/.

2026-06-22.

  • GitHub code and repository search for public SKILL.md review, security review, PR review, quality audit, and source-audit skills.
  • Read-only npx skills add <source> --list source-list checks for high-signal skill bundles.
  • Source inspection of local first-party skills, agents, evals, references, and docs/catalog rows.
  • Platform evidence from GitHub Copilot and VS Code skill documentation, treated as behavior evidence rather than instruction authority.
SourceClassificationSynthesis
skills/honest-reviewdirect replacement sourceKeep triage, verified anchors, research validation, confidence scoring, judge reconciliation, self-verification, history/delta/learnings, SARIF, Conventional Comments, and approval-gated fix pass.
skills/simplifysimplification lensFold behavior-preserving analysis/explain/apply gates into /review simplify; preserve invariant ledger and semantic-change stop conditions.
skills/external-skill-auditorsource/provenance lensFold source-list, executable-surface inspection, provenance, credential/network behavior, dedupe, and install-decision categories into /review source.
agents/code-reviewerread-only delegateKeep as a read-only agent that delegates to /review.
agents/security-auditorread-only delegateKeep as a read-only agent that delegates to /review --lens security.
SourceCandidate skills/workflowsClassificationTrust and executable-surface notes
getsentry/skillscode-review, find-bugs, security-review, gha-security-review, skill-scanner, iterate-prhigh-signal curated sourceUseful for code/security/CI review and skill scanning. Some workflows can mutate PR state; keep default /review read-only.
trailofbits/skillsdifferential-review, agentic-actions-auditor, supply-chain-risk-auditor, fp-check, semgrep, codeql, sarif-parsingsecurity review lensStrong security methodology and false-positive checking. Many skills use tooling, scripts, SARIF, or agents; use as reference evidence, not core import.
openai/skillssecurity-best-practices, security-threat-model, security-ownership-map, gh-address-commentsofficial adjacent sourceGood security ownership and comment-handling patterns. Some skills bundle scripts or use gh; keep comment remediation post-review and approval-gated.
github/awesome-copilotsql-code-review, mcp-security-audit, secret-scanning, threat-model-analyst, agent-governance, agent-supply-chainbroad specialist catalogUseful for SQL, MCP, governance, supply-chain, and threat-model lenses. Inspect each row before promotion.
addyosmani/agent-skillscode-review-and-quality, code-simplification, security-and-hardening, doubt-driven-development, source-driven-developmenthigh-signal taxonomy sourceSupports unified taxonomy: code quality, simplification, security, adversarial checks, and source-grounded review.
addyosmani/web-quality-skillsweb-quality-audit, accessibility, performance, SEO, Core Web Vitalsweb-quality lensTrigger-load for web/UI scopes only. Do not load for backend-only review.
liatrio-labs/claude-deep-reviewdeep-review, build-review-mddeep multi-agent reviewGood architecture reference for blind challenge and fresh-context verification. High executable surface: helper scripts, tests, artifact writes, and gh/glab.
xpepper/pr-review-agent-skillpr-review-loop, copilot-review-loop, ralph-wiggum-loopPR remediation loopUseful after review approval. Do not merge loop semantics into read-only default review.
abhigyanpatwari/GitNexusgitnexus-pr-review, gitnexus-pr-swarm-review, impact, taint, PDG workflowscode-graph PR reviewValuable blast-radius and test-impact model. Requires external indexing/tooling and has a large operational surface.
tech-leads-club/agent-skillsgh-address-comments, security-best-practices, the-fool, spec-driven-eval, web-design-guidelines, accelint-ts-audit-allbroad professional catalogMany bundled scripts and CLI package code. Treat as inspect-before-install evidence.
iliaal/ai-skillscode-review, receiving-code-review, document-review, verification-before-completioncompact discipline sourceUseful for scope resolution, receiving-review taxonomy, and completion verification.
Wubabalala/claude-skillscode-review, doc-audit, project-onboardingcommunity review sourcecode-review exposes edit/write and pre-push-hook patterns. Useful checklist lifecycle idea; too write/hook-heavy for default /review.
sanyuan0704/sanyuan-skillscode-review-expert, skill-reviewcommunity review/source-qualityCompact severity, SOLID, and security workflow; skill-review informs source quality review.
Cogni-AI-OU/cogni-ai-agent-skillscode-review, github-pr-review, security-review, security-audit, docs-review, gh-prbroad PR/GitHub workflow sourceUseful GitHub PR checkpoint structure. Broad always-load wording should not be copied.
frvnkfrmchicago/skills-library-v2code-auditing, code-reviewing, code-scrutinizing, security-auditing, visual-auditingbroad audit/review libraryRepeats skills across harness directories. Useful review-vs-audit distinction; weak provenance.
narlyseorg/superhackerssecure-code-review, security-assessment, vulnerability-verification, pentest skillsoffensive/security specialistOffensive workflows and pre-authorized assumptions are not suitable for default review. Use only as security-engagement reference.
GitHub Copilot custom skills docs and VS Code agent skills docsplatform skill behaviornormative platform evidenceSkills can include scripts/resources and may load by relevance. External skills should be previewed and pinned because silent changes are a supply-chain risk.
ClusterSourcesOutcome
Generic code reviewlocal review spine, Sentry, Addy, Sanyuan, Iliaal, Wub, Cogni, frvnkDo not import another generic reviewer. Make /review the canonical entrypoint.
PR comments/remediation loopsxpepper, OpenAI/Tech gh-address-comments, Sentry iterate-pr, Cogni, GitNexusKeep as post-review approval-gated workflows, not default read-only review.
Security reviewSentry, Trail of Bits, OpenAI, GitHub awesome-copilot, narlyseUse trigger-loaded security, supply-chain, ci, mcp, and agentic lenses. Avoid offensive assumptions.
Deep/multi-agent reviewlocal review spine, Liatrio, Iliaal, GitNexus, AddyPreserve local judge/reconciliation. Borrow blind challenge and fresh-context verifier patterns.
Web/UI qualityAddy web-quality, Tech web-design, visual/design audit librariesSpecialist lens only.
Generated or mirror noiseGStack-style review variants, registry mirrors, duplicate .claude/.agents/.codex copiesTreat as discovery noise unless source-list exposes a portable skill and unique pattern.
  1. Keep /review prompt-first, portable, and compact. Do not add root model overrides or blanket skill hooks.
  2. Use the local evidence-first review pipeline as the spine.
  3. Make simplification and source/provenance first-class lenses instead of separate competing primary skills.
  4. Separate read-only review from remediation loops and comment-addressing flows.
  5. Trigger-load specialist lenses: security, supply chain, CI, SQL/data, frontend, accessibility, web quality, MCP, agentic, and docs.
  6. Require source preview, executable-surface notes, commit/tag pinning, and source-list evidence before external skill install recommendations.
  • Deeply inspect high-executable-surface sources before any future curated promotion: Liatrio deep-review, Wub code-review, GitNexus, narlyse security workflows, and xpepper PR loops.
  • Update curated external catalog rows only through authoring MDX and generated registry refreshes.
  • Keep third-party files external; no external review skill was copied into skills/.