AgentSkillsCN

code-review-autopilot

扫描代码中的安全问题、硬编码的机密信息、缺失的错误处理,以及常见的“Vibe编程”反模式。生成PASS/FAIL判定结果,并附上文件与行号信息。可通过“/review”指令调用。

SKILL.md
--- frontmatter
name: code-review-autopilot
description: >
  Scans for security issues, hardcoded secrets, missing error handling,
  and vibe coding antipatterns. Produces PASS/FAIL verdicts with file:line references.
  Invoke with /review.

Code Review Autopilot

Commands

  • /review — Review all staged/changed files
  • /review <path> — Review a specific file or directory
  • /review --pr — Review the current PR diff against base branch

Review Categories

1. Security (CRITICAL)

  • Hardcoded secrets, API keys, tokens, passwords
  • SQL injection, command injection, XSS vectors
  • Insecure deserialization
  • Missing input validation at system boundaries
  • Overly permissive CORS or auth settings
  • Credentials in logs or error messages

2. Error Handling

  • Bare except/catch blocks that swallow errors
  • Missing error handling on external API calls
  • Unchecked return values from I/O operations
  • Error messages that leak internal details
  • Missing retry/backoff on transient failures

3. Code Quality

  • Functions exceeding 50 lines
  • Cyclomatic complexity above 10
  • Deeply nested conditionals (3+ levels)
  • Dead code or unreachable branches
  • Copy-paste duplication (3+ identical blocks)
  • Magic numbers without named constants

4. Vibe Coding Antipatterns

  • TODO/FIXME/HACK comments left in production code
  • Console.log/print statements not behind a debug flag
  • Commented-out code blocks
  • Placeholder implementations
  • Over-abstraction for single-use cases

5. Dependencies

  • Known vulnerable versions
  • Unused imports or dependencies
  • Circular dependencies

6. Testing

  • Changed logic without corresponding test changes
  • Test files that only test happy paths
  • Flaky test patterns (sleep, timing-dependent assertions)

Output Format

For each issue found, report:

  • Severity: CRITICAL / WARNING / NOTE
  • Location: file:line
  • Description: what the issue is
  • Fix: concrete suggestion

Verdict Rules

  • Any CRITICAL issue = automatic FAIL
  • 3+ warnings in the same category = FAIL
  • Hardcoded secret = immediate FAIL

MCMAP-Specific Checks

  • Copilot instructions: verify plain text compliance (no emoji, markdown, curly braces)
  • Solution XML: verify displaynames use displayname not description tags
  • OptionSet prefixes: verify prefix_fieldname not prefixentity_prefix_fieldname
  • KB documents: verify under 36K chars
  • Python scripts: verify no hardcoded Dataverse URLs (must use config)