Best Claude skills for code review in 2026

Thorough code review — checks correctness, security, performance, readability, and test coverage. Gives actionable feedback ranked by severity.

Security audit and vulnerability assessment for any codebase. Scans for authentication bypasses, missing auth middleware, broken JWT validation (algorithm confusion, weak secrets, missing expiry), OAuth state and PKCE flaws, IDOR and horizontal privilege escalation, vertical privilege escalation via role manipulation, SQL injection, NoSQL injection, XSS (stored, reflected, DOM), command injection, path traversal, SSRF, CSRF, hardcoded secrets and API keys (sk_live_, AKIA, ghp_), .env and credential file exposure, PII leaking in logs and error responses, overfetching sensitive fields, CORS misconfiguration, session fixation, missing secure/httpOnly/sameSite cookie flags, and Firebase/Firestore rule weaknesses. Produces a severity-ranked findings report with exploit scenarios and fix recommendations. Covers OWASP Top 10.

Architect-level story review and implementation validation with domain consistency analysis. Use with a story to get design feedback before coding, or on a branch to validate completeness after coding.

Review API design against REST best practices and internal consistency. Audits naming conventions, HTTP method semantics, status code correctness, pagination and filtering patterns, error response format, versioning strategy, rate limiting, idempotency keys, HATEOAS links, and content negotiation. Works with Express, Fastify, Hono, Flask, Django REST, Spring, Rails, Gin, and any HTTP API framework. Use when you need to review an API, audit REST endpoints, check API consistency, fix HTTP status codes, add pagination, or prepare an API for public release.

Systematic code refactoring — extract functions, reduce complexity, eliminate duplication, improve naming, and split large files. Preserves behavior with tests.

Conduct a CFO-perspective financial impact review of a codebase. Analyzes infrastructure costs and scaling projections, pricing model alignment with architecture, build-vs-buy economics, technical debt as financial liability, revenue system readiness, engineering burn rate efficiency, and compliance cost exposure. Produces a financial impact report with unit economics, cost projections at 10x/100x scale, and ROI-ranked investment recommendations. Use when you need a financial review of a tech product, cost analysis at scale, pricing model feasibility check, Series A due diligence prep, engineering ROI assessment, or compliance cost estimation.

Audit healthcare and caregiving software for provider burnout risk factors. Analyzes workload distribution fairness, scheduling equity, documentation burden, alert fatigue indicators, break and rest compliance, overtime patterns, and systemic contributors to staff burnout. Produces a burnout risk scorecard with actionable recommendations tied to patient safety outcomes. Use when you need to audit healthcare worker burnout, review caregiver scheduling fairness, assess clinical documentation burden, detect alert fatigue, check nurse staffing ratios, evaluate EHR workflow efficiency, or review care facility labor compliance.

Conduct a CTO-perspective technical strategy review of a codebase. Evaluates architecture decisions and build-vs-buy trade-offs, scaling readiness at 10x and 100x, engineering velocity and developer experience, technical debt ratio and blast radius, security posture at executive level, team scalability for hiring, and infrastructure cost efficiency. Produces a strategic risk matrix, architecture scorecard, and ranked investment priorities. Use when you need a technical strategy review, architecture assessment, scaling readiness check, tech debt audit, engineering velocity evaluation, Series A technical due diligence, or CTO-level briefing before a board meeting or fundraise.

Review database schema design, query patterns, and data access layer for correctness and performance. Checks normalization balance, index coverage against actual queries, constraint completeness (NOT NULL, FK, unique, check, defaults), data type correctness (money as DECIMAL not FLOAT, timestamps with timezone), N+1 query detection, connection pooling configuration, transaction safety, and migration hygiene. Supports PostgreSQL, MySQL, SQLite, MongoDB, Firestore, DynamoDB, and all major ORMs. Use when you need to review a database schema, find missing indexes, detect N+1 queries, audit data types, check constraint coverage, optimize query patterns, or assess database scaling readiness.

Audit environmental software for EPA reporting (CEDRI, NetDMR, RCRAInfo), Clean Air Act (Title V, NESHAP, CEMS, TRI), Clean Water Act (NPDES, SWPPP, SPCC), RCRA hazardous waste tracking (manifests, biennial reports), NEPA environmental impact assessment workflows, GHG reporting, and compliance calendar management. Use when reviewing environmental management systems, permit tracking, emissions monitoring, waste management, or environmental impact assessment software.