Research: review
Cached research evidence for review (not authority).
Quick Answer
Section titled “Quick Answer”review should be the canonical first-party review skill. The local spine comes from the repo-owned evidence-first review, simplification, and source/provenance audit workflows. External sources are useful design evidence for specialist lenses, but none should be vendored into skills/.
Accessed
Section titled “Accessed”2026-06-22.
Read-Only Methods
Section titled “Read-Only Methods”- GitHub code and repository search for public
SKILL.mdreview, security review, PR review, quality audit, and source-audit skills. - Read-only
npx skills add <source> --listsource-list checks for high-signal skill bundles. - Source inspection of local first-party skills, agents, evals, references, and docs/catalog rows.
- Platform evidence from GitHub Copilot and VS Code skill documentation, treated as behavior evidence rather than instruction authority.
Local Baseline
Section titled “Local Baseline”| Source | Classification | Synthesis |
|---|---|---|
skills/honest-review | direct replacement source | Keep triage, verified anchors, research validation, confidence scoring, judge reconciliation, self-verification, history/delta/learnings, SARIF, Conventional Comments, and approval-gated fix pass. |
skills/simplify | simplification lens | Fold behavior-preserving analysis/explain/apply gates into /review simplify; preserve invariant ledger and semantic-change stop conditions. |
skills/external-skill-auditor | source/provenance lens | Fold source-list, executable-surface inspection, provenance, credential/network behavior, dedupe, and install-decision categories into /review source. |
agents/code-reviewer | read-only delegate | Keep as a read-only agent that delegates to /review. |
agents/security-auditor | read-only delegate | Keep as a read-only agent that delegates to /review --lens security. |
External Source Table
Section titled “External Source Table”| Source | Candidate skills/workflows | Classification | Trust and executable-surface notes |
|---|---|---|---|
| getsentry/skills | code-review, find-bugs, security-review, gha-security-review, skill-scanner, iterate-pr | high-signal curated source | Useful for code/security/CI review and skill scanning. Some workflows can mutate PR state; keep default /review read-only. |
| trailofbits/skills | differential-review, agentic-actions-auditor, supply-chain-risk-auditor, fp-check, semgrep, codeql, sarif-parsing | security review lens | Strong security methodology and false-positive checking. Many skills use tooling, scripts, SARIF, or agents; use as reference evidence, not core import. |
| openai/skills | security-best-practices, security-threat-model, security-ownership-map, gh-address-comments | official adjacent source | Good security ownership and comment-handling patterns. Some skills bundle scripts or use gh; keep comment remediation post-review and approval-gated. |
| github/awesome-copilot | sql-code-review, mcp-security-audit, secret-scanning, threat-model-analyst, agent-governance, agent-supply-chain | broad specialist catalog | Useful for SQL, MCP, governance, supply-chain, and threat-model lenses. Inspect each row before promotion. |
| addyosmani/agent-skills | code-review-and-quality, code-simplification, security-and-hardening, doubt-driven-development, source-driven-development | high-signal taxonomy source | Supports unified taxonomy: code quality, simplification, security, adversarial checks, and source-grounded review. |
| addyosmani/web-quality-skills | web-quality-audit, accessibility, performance, SEO, Core Web Vitals | web-quality lens | Trigger-load for web/UI scopes only. Do not load for backend-only review. |
| liatrio-labs/claude-deep-review | deep-review, build-review-md | deep multi-agent review | Good architecture reference for blind challenge and fresh-context verification. High executable surface: helper scripts, tests, artifact writes, and gh/glab. |
| xpepper/pr-review-agent-skill | pr-review-loop, copilot-review-loop, ralph-wiggum-loop | PR remediation loop | Useful after review approval. Do not merge loop semantics into read-only default review. |
| abhigyanpatwari/GitNexus | gitnexus-pr-review, gitnexus-pr-swarm-review, impact, taint, PDG workflows | code-graph PR review | Valuable blast-radius and test-impact model. Requires external indexing/tooling and has a large operational surface. |
| tech-leads-club/agent-skills | gh-address-comments, security-best-practices, the-fool, spec-driven-eval, web-design-guidelines, accelint-ts-audit-all | broad professional catalog | Many bundled scripts and CLI package code. Treat as inspect-before-install evidence. |
| iliaal/ai-skills | code-review, receiving-code-review, document-review, verification-before-completion | compact discipline source | Useful for scope resolution, receiving-review taxonomy, and completion verification. |
| Wubabalala/claude-skills | code-review, doc-audit, project-onboarding | community review source | code-review exposes edit/write and pre-push-hook patterns. Useful checklist lifecycle idea; too write/hook-heavy for default /review. |
| sanyuan0704/sanyuan-skills | code-review-expert, skill-review | community review/source-quality | Compact severity, SOLID, and security workflow; skill-review informs source quality review. |
| Cogni-AI-OU/cogni-ai-agent-skills | code-review, github-pr-review, security-review, security-audit, docs-review, gh-pr | broad PR/GitHub workflow source | Useful GitHub PR checkpoint structure. Broad always-load wording should not be copied. |
| frvnkfrmchicago/skills-library-v2 | code-auditing, code-reviewing, code-scrutinizing, security-auditing, visual-auditing | broad audit/review library | Repeats skills across harness directories. Useful review-vs-audit distinction; weak provenance. |
| narlyseorg/superhackers | secure-code-review, security-assessment, vulnerability-verification, pentest skills | offensive/security specialist | Offensive workflows and pre-authorized assumptions are not suitable for default review. Use only as security-engagement reference. |
| GitHub Copilot custom skills docs and VS Code agent skills docs | platform skill behavior | normative platform evidence | Skills can include scripts/resources and may load by relevance. External skills should be previewed and pinned because silent changes are a supply-chain risk. |
Duplicate Clusters
Section titled “Duplicate Clusters”| Cluster | Sources | Outcome |
|---|---|---|
| Generic code review | local review spine, Sentry, Addy, Sanyuan, Iliaal, Wub, Cogni, frvnk | Do not import another generic reviewer. Make /review the canonical entrypoint. |
| PR comments/remediation loops | xpepper, OpenAI/Tech gh-address-comments, Sentry iterate-pr, Cogni, GitNexus | Keep as post-review approval-gated workflows, not default read-only review. |
| Security review | Sentry, Trail of Bits, OpenAI, GitHub awesome-copilot, narlyse | Use trigger-loaded security, supply-chain, ci, mcp, and agentic lenses. Avoid offensive assumptions. |
| Deep/multi-agent review | local review spine, Liatrio, Iliaal, GitNexus, Addy | Preserve local judge/reconciliation. Borrow blind challenge and fresh-context verifier patterns. |
| Web/UI quality | Addy web-quality, Tech web-design, visual/design audit libraries | Specialist lens only. |
| Generated or mirror noise | GStack-style review variants, registry mirrors, duplicate .claude/.agents/.codex copies | Treat as discovery noise unless source-list exposes a portable skill and unique pattern. |
Design Implications
Section titled “Design Implications”- Keep
/reviewprompt-first, portable, and compact. Do not add root model overrides or blanket skill hooks. - Use the local evidence-first review pipeline as the spine.
- Make simplification and source/provenance first-class lenses instead of separate competing primary skills.
- Separate read-only review from remediation loops and comment-addressing flows.
- Trigger-load specialist lenses: security, supply chain, CI, SQL/data, frontend, accessibility, web quality, MCP, agentic, and docs.
- Require source preview, executable-surface notes, commit/tag pinning, and source-list evidence before external skill install recommendations.
Deferred Audit Queue
Section titled “Deferred Audit Queue”- Deeply inspect high-executable-surface sources before any future curated promotion: Liatrio deep-review, Wub code-review, GitNexus, narlyse security workflows, and xpepper PR loops.
- Update curated external catalog rows only through authoring MDX and generated registry refreshes.
- Keep third-party files external; no external review skill was copied into
skills/.
