Skills code-review-playbook
📦

code-review-playbook

Medium Risk

Standardize Code Reviews

Inconsistent reviews slow teams and make feedback harder to act on. This skill provides checklists, comment formats, and templates for clear review workflows.

Supports: Claude Codex Code(CC)
📊 71 Adequate
1

Download the skill ZIP

2

Upload in Claude

Go to Settings → Capabilities → Skills → Upload skill

3

Toggle on and start using

Test it

Using "code-review-playbook". Review a PR that adds payment retry logic and new tests.

Expected outcome:

  • Summary of the change and review decision.
  • Blocking issues grouped by severity and file location.
  • Non-blocking suggestions with clear rationale.
  • Testing gaps and follow-up actions.

Using "code-review-playbook". Help write a PR description for a new API endpoint.

Expected outcome:

  • Concise description of what changed and why.
  • Testing instructions for reviewers.
  • Security, database, and compatibility checklist items.
  • Risk notes and rollback considerations.

Using "code-review-playbook". Turn informal review notes into conventional comments.

Expected outcome:

  • Comments labeled as issue, suggestion, question, nitpick, praise, or security.
  • Blocking status is made explicit where needed.
  • Each comment explains impact and recommended action.

Security Audit

Medium Risk
v6 • 6/28/2026

Static command, crypto, reconnaissance, and network flags were reviewed as Markdown examples, checklist labels, or documentation links rather than executable behavior. No malicious intent, prompt-injection text, credential exfiltration, or runnable command execution was found. The main concern is that copyable LLM review automation examples interpolate untrusted diffs and code into prompts without prompt-injection guidance.

4
Files scanned
1,983
Lines analyzed
4
findings
6
Total audits
Medium Risk Issues (1)
Untrusted Code Interpolated Into LLM Review Prompts
The skill includes copyable TypeScript examples that place PR diffs, codebase context, and source code directly inside LLM prompt strings. This is not executable by the skill itself, but users who adopt the pattern should add prompt-injection boundaries and treat reviewed code as untrusted input.
Low Risk Issues (3)
Static Command Execution Flags Are Markdown Examples
The external command detections come from Markdown fences, inline code, and review instructions such as git checkout, npm audit, pip-audit, and TypeScript examples. No script file, runtime hook, or automatic command execution path was found.
Static Crypto and Reconnaissance Flags Are Review Vocabulary
The weak cryptography, system reconnaissance, and network reconnaissance detections are checklist and template language for reviewers. They describe what users should look for in reviewed code and do not implement crypto, scanning, or reconnaissance behavior.
Hardcoded URLs Are Documentation References
The network flags point to an Anthropic documentation link and a localhost testing placeholder. They do not send data to an external service and do not indicate exfiltration.
Audited by: codex View Audit History →

Quality Score

55
Architecture
100
Maintainability
87
Content
72
Community
54
Security
74
Spec Compliance

What You Can Build

Review Pull Requests Consistently

Use the checklist and comment labels to review changes with clear severity and actionable feedback.

Prepare Changes Before Review

Run a self-review with the pull request template before asking teammates for feedback.

Define Team Review Standards

Adopt the templates and process guidance as a baseline for team review norms.

Try These Prompts

Review a Small Pull Request
Use the code-review-playbook to review this small pull request. Focus on correctness, tests, and clear conventional comments.
Prepare a PR Description
Use the pull request template from the code-review-playbook to help me prepare a complete PR description and testing notes.
Triage Review Feedback
Use the review feedback patterns to classify these comments as blocking, non-blocking, questions, or nitpicks.
Design a Team Review Standard
Use the code-review-playbook to create a team review policy with severity labels, reviewer expectations, and merge criteria.

Best Practices

  • Review the pull request description and tests before reading line-by-line changes.
  • Use conventional labels to make severity and merge impact clear.
  • Separate must-fix defects from preferences and follow-up improvements.

Avoid

  • Blocking a merge for subjective style preferences that automation can handle.
  • Leaving vague feedback without explaining the impact or a possible fix.
  • Approving large or risky changes without checking tests, security, and rollout impact.

Frequently Asked Questions

Does this skill run code review tools automatically?
No. It provides review guidance, checklists, and templates. You must run tests and scanners separately.
Can it be used with Claude, Codex, and Claude Code?
Yes. The report lists support for Claude, Codex, and Claude Code workflows.
What review style does it encourage?
It encourages specific, kind, actionable feedback with clear severity labels.
Is it only for security reviews?
No. It covers quality, testing, architecture, performance, documentation, and security checks.
Can teams customize the templates?
Yes. Teams should adapt labels, merge rules, and checklist items to their codebase.
What is the main security caution?
Copyable LLM review examples should add prompt-injection safeguards before production use.