afrexai-code-reviewer

# Code Review Engine

Enterprise-grade automated code review. Works on GitHub PRs, local diffs, pasted code, or entire files. No dependencies — pure agent intelligence.

## Quick Start

### Review a GitHub PR
```
Review PR #42 in owner/repo
```

### Review a local diff
```
Review the staged changes in this repo
```

### Review a file
```
Review src/auth/login.ts for security issues
```

### Review pasted code
Just paste code and say "review this"

---

## Review Framework: SPEAR

Every review follows the **SPEAR** framework — 5 dimensions, each scored 1-10:

### 🔴 S — Security (Weight: 3x)
| Check | Severity | Example |
|-------|----------|---------|
| Hardcoded secrets | CRITICAL | API keys, passwords, tokens in source |
| SQL injection | CRITICAL | String concatenation in queries |
| XSS vectors | HIGH | Unsanitized user input in HTML/DOM |
| Path traversal | HIGH | User input in file paths without validation |
| Insecure deserialization | HIGH | `eval()`, `pickle.loads()`, `JSON.parse` on untrusted input |
| Auth bypass | CRITICAL | Missing auth checks on endpoints |
| SSRF | HIGH | User-controlled URLs in server requests |
| Timing attacks | MEDIUM | Non-constant-time string comparison for secrets |
| Dependency vulnerabilities | MEDIUM | Known CVEs in imported packages |
| Sensitive data logging | MEDIUM | PII, tokens, passwords in log output |
| Insecure randomness | MEDIUM | `Math.random()` for security-sensitive values |
| Missing rate limiting | MEDIUM | Auth endpoints without throttling |

### 🟡 P — Performance (Weight: 2x)
| Check | Severity | Example |
|-------|----------|---------|
| N+1 queries | HIGH | DB call inside a loop |
| Unbounded queries | HIGH | `SELECT *` without LIMIT on user-facing endpoints |
| Missing indexes (implied) | MEDIUM | Frequent WHERE/ORDER on unindexed columns |
| Memory leaks | HIGH | Event listeners never removed, growing caches |
| Blocking main thread | HIGH | Sync I/O in async context, CPU-heavy in event loop |
| Unnece...

# AfrexAI Code Reviewer

Enterprise-grade automated code review for your AI agent. Reviews GitHub PRs, local diffs, or pasted code using the **SPEAR framework** — Security, Performance, Error Handling, Architecture, Reliability.

## Install

```bash
clawhub install afrexai-code-reviewer
```

## What You Get

- **SPEAR scoring system** — 5 dimensions, weighted, 0-100 final score with clear verdicts
- **60+ specific patterns** across TypeScript, Python, Go, Java, and SQL
- **4 severity levels** with point deductions that drive the score
- **Structured output template** — every review is consistent and actionable
- **Security review depth levels** — Quick, Standard, Deep, Threat Model
- **Quick checklist mode** for fast reviews
- **GitHub & local git integration** — works with `gh` CLI or raw diffs
- **Heartbeat/cron ready** — auto-review new PRs on a schedule

## Usage

Just tell your agent:

```
Review PR #42 in my-org/my-repo
```

```
Review the staged changes in this repo
```

```
Do a deep security review of src/auth/
```

## vs Other Review Skills

| Feature | Others | AfrexAI |
|---------|--------|---------|
| Scoring system | ❌ | ✅ SPEAR 0-100 |
| Language patterns | 2-3 | 5+ languages, 60+ patterns |
| Security depth levels | ❌ | ✅ 4 levels |
| Architecture review | ❌ | ✅ coupling, layers, complexity |
| Business logic review | ❌ | ✅ spec matching, edge cases |
| Operability review | ❌ | ✅ rollback, monitoring, flags |
| No dependencies | ❌ (needs scripts) | ✅ pure agent skill |

## ⚡ Level Up

Want code review as part of a complete engineering workflow? Check out our **SaaS Context Pack** — includes code review, incident response, deployment checklists, and more.

👉 [Browse Context Packs ($47)](https://afrexai-cto.github.io/context-packs/)

## 🔗 More Free Skills by AfrexAI

- [afrexai-lead-hunter](https://clawhub.com/skill/afrexai-lead-hunter) — ICP-driven lead generation
- [afrexai-seo-content-engine](https://clawhub.com/skill/afrexai-seo-cont...