Skip to main content
Agent Type: Code Review and Quality AssuranceTools: Read, Glob, Grep, Bash

Overview

The Reviewer agent is a code review specialist that performs comprehensive quality checks on code changes. It examines logic correctness, edge cases, error handling, security vulnerabilities, performance issues, and test coverage before changes are committed or merged.

When to Use

Use the Reviewer agent:

Before Committing

Review changes before creating commits

Pull Request Reviews

Comprehensive PR review before merging

Security Audits

Check for security vulnerabilities and injection risks

After Major Changes

Quality check after significant refactoring or features

Configuration

---
name: reviewer
description: Code review specialist that checks for logic errors, security issues, and quality problems. Use before committing, for PR reviews, or after major changes.
tools: ["Read", "Glob", "Grep", "Bash"]
---

Available Tools

Read
tool
Read files to examine code changes
Glob
tool
Find related files that may be affected
Grep
tool
Search for patterns, potential issues, or similar code
Bash
tool
Run linters, tests, and other quality tools

Review Checklist

The Reviewer examines code across 6 critical dimensions:
Does it do what’s intended?
  • Algorithm correctness
  • Business logic accuracy
  • Control flow validation
  • Return value correctness
  • Conditional logic completeness
Null, empty, bounds?
  • Null/undefined handling
  • Empty array/string/object checks
  • Array bounds checking
  • Off-by-one errors
  • Overflow/underflow conditions
  • Unicode and special character handling
Proper handling?
  • Try-catch blocks where needed
  • Error messages are helpful
  • Errors propagate correctly
  • No swallowed errors
  • Graceful degradation
  • User-facing error messages are clear
Injection, auth, secrets?
  • SQL injection prevention
  • XSS protection
  • CSRF token validation
  • Authentication checks
  • Authorization verification
  • No hardcoded secrets
  • Input sanitization
  • Output encoding
O(n²) loops, memory?
  • Time complexity reasonable
  • No nested loops on large data
  • Database query efficiency
  • Memory leaks prevented
  • Unnecessary re-renders avoided
  • Lazy loading where appropriate
  • Caching opportunities
Coverage adequate?
  • Tests exist for new code
  • Edge cases are tested
  • Error paths are tested
  • Integration tests if needed
  • Test clarity and maintainability

Output Format

The Reviewer provides feedback organized by severity: 
## Review: [Files/PR]

### Critical
- [Must fix before merge]
- file.ts:42 - SQL injection vulnerability in query construction
- auth.ts:15 - Missing authentication check on admin endpoint

### High
- [Should fix]
- utils.ts:89 - Potential null pointer dereference
- api.ts:120 - No error handling for network failures

### Medium
- [Nice to fix]
- component.tsx:55 - Unnecessary re-render on every keystroke
- helpers.ts:200 - Could simplify with Array.find()

### Low
- [Suggestions]
- styles.css:10 - Consider using CSS variables for colors
- README.md:5 - Typo in documentation

### Approved?
[Yes/No with conditions]
Yes, pending Critical and High issues are fixed.

Severity Levels

Critical

Must fix before mergeSecurity vulnerabilities, data corruption risks, production-breaking bugs

High

Should fixLogic errors, missing error handling, significant performance issues

Medium

Nice to fixCode quality, minor performance improvements, refactoring opportunities

Low

SuggestionsStyle improvements, documentation, best practices

Example Reviews

// Code being reviewed:
app.post('/api/user', async (req, res) => {
  const { name, email } = req.body;
  const result = await db.query(
    `INSERT INTO users (name, email) VALUES ('${name}', '${email}')`
  );
  res.json(result);
});

// Reviewer output:
## Review: API Endpoint

### Critical
- api.ts:4 - SQL injection vulnerability. User input directly interpolated into query.
  FIX: Use parameterized queries: `db.query('INSERT INTO users (name, email) VALUES (?, ?)', [name, email])`

### High
- api.ts:2 - No input validation. Email could be invalid.
  FIX: Validate email format before inserting
- api.ts:1 - Missing authentication. Anyone can create users.
  FIX: Add auth middleware
- api.ts:7 - No error handling for database failures
  FIX: Wrap in try-catch

### Medium
- api.ts:7 - Exposes internal database result to client
  FIX: Return only necessary fields: `res.json({ id: result.id, name, email })`

### Approved?
No - Critical and High issues must be fixed.

Rules and Constraints

The Reviewer follows strict rules:
The Reviewer never automatically approves code without performing a thorough review.
Security checks are mandatory. The Reviewer always examines code for vulnerabilities.
The Reviewer doesn’t just flag problems—it suggests specific fixes and improvements.

Best Practices

1

Review Early

Run Reviewer before committing, not just before merging. Catch issues early.
2

Address Critical First

Fix Critical issues immediately. They represent security risks or production bugs.
3

Consider Context

Some “issues” may be intentional. Use judgment when applying suggestions.
4

Automate Quality Gates

Integrate Reviewer into CI/CD pipelines for consistent quality checks.

Common Issues Detected

Security Vulnerabilities

// BAD
db.query(`SELECT * FROM users WHERE id = ${userId}`);

// GOOD
db.query('SELECT * FROM users WHERE id = ?', [userId]);

Logic Errors

// BAD
function getFirstName(user) {
  return user.name.split(' ')[0];
}

// GOOD
function getFirstName(user) {
  return user?.name?.split(' ')[0] || 'Unknown';
}

Performance Issues

// BAD
for (const user of users) {
  user.posts = await db.query('SELECT * FROM posts WHERE userId = ?', [user.id]);
}

// GOOD
const userIds = users.map(u => u.id);
const posts = await db.query('SELECT * FROM posts WHERE userId IN (?)', [userIds]);
// then group by userId

Integration with CI/CD

Integrate Reviewer into your development workflow:
Set up pre-commit hooks to run Reviewer automatically before each commit.

Comparison with Other Agents

FeatureReviewerPlannerDebugger
PurposeQuality checksTask planningBug fixing
TimingBefore commitBefore implementationWhen bugs occur
Makes changesNoNoYes (with approval)
FocusCode qualityArchitectureRoot cause

Next Steps

Debugger

Systematic debugging for issues found by Reviewer

Orchestrator

Multi-phase development with built-in quality gates

Build docs developers (and LLMs) love

Get started for freeTalk to us