Skip to main content
Get independent code reviews from external LLM CLIs (OpenAI Codex, Google Gemini) on uncommitted changes, branch diffs, or specific commits.

Overview

The Second Opinion plugin shells out to external LLM CLIs for independent code reviews powered by separate models. It supports both OpenAI Codex CLI and Google Gemini CLI, with options to run them individually or compare results side-by-side. Author: Dan Guido

Features

Dual Model Support

Run reviews with OpenAI Codex (gpt-5.3-codex) or Google Gemini (gemini-3.1-pro-preview), or both for comparison

Multiple Scopes

Review uncommitted changes, branch diffs vs main, or specific commits

Focused Reviews

General review, security, performance, or error handling focus areas

Project-Aware

Optionally include CLAUDE.md or AGENTS.md for context-aware reviews

Prerequisites

OpenAI Codex CLI

1

Install Codex CLI

npm i -g @openai/codex
2

Configure Authentication

Requires OpenAI API key or ChatGPT Plus subscription configured for Codex

Google Gemini CLI

1

Install Gemini CLI

npm i -g @google/gemini-cli
2

Authenticate

gemini auth login
3

Install Extensions

gemini extensions install https://github.com/gemini-cli-extensions/code-review
gemini extensions install https://github.com/gemini-cli-extensions/security

Installation

/plugin marketplace add trailofbits/skills
/plugin install second-opinion

Usage

1

Invoke the Command

/second-opinion
or with inline arguments:
/second-opinion check the uncommitted changes for security issues
2

Answer Questions

Claude asks up to 4 questions (skips any already specified):
  1. Review tool - Codex, Gemini, or both (default: both)
  2. Review scope - Uncommitted, branch diff, or specific commit
  3. Project context - Include CLAUDE.md/AGENTS.md? (if exists)
  4. Review focus - General, security, performance, or error handling
3

Review Diff Stats

Claude shows what will be reviewed:
6 files changed, 103 insertions(+), 15 deletions(-)
If the diff is empty, Claude stops. If very large (>2000 lines), Claude warns.
4

Run Review

For “Both” (default), Claude runs Codex and Gemini in parallel.For single tool, Claude runs just that tool.
5

View Results

Results are presented with clear headers:
## Codex Review (gpt-5.3-codex)
[structured findings by priority]

## Gemini Review (gemini-3.1-pro-preview)
[gemini output]

## Summary
Both reviews agree on:
- Missing input validation in auth.py:45

Codex flagged but Gemini didn't:
- Performance concern in db.py:123

Review Scopes

Uncommitted Changes

Reviews all uncommitted work (tracked and untracked files): 
git diff HEAD
git ls-files --others --exclude-standard

Branch Diff vs Main

Reviews all changes in current branch since it diverged from default branch: 
# Auto-detects default branch (main, master, etc.)
git diff <default-branch>...HEAD

Specific Commit

Reviews changes introduced by a single commit: 
git diff <sha>~1..<sha>

Focus Areas

Broad code review covering:
  • Code quality and maintainability
  • Potential bugs and edge cases
  • Best practices and patterns
  • Documentation completeness

Codex vs Gemini

FeatureCodexGemini
Modelgpt-5.3-codexgemini-3.1-pro-preview
ReasoningxhighDefault
OutputStructured JSON findings by priorityNatural language
Headlesscodex exec with stdingemini -p with stdin
ExtensionsNonecode-review, security
Dependency ScanN/A/security:scan-deps (when security focus + manifest changed)
Running both (the default) provides comparison and validation. Where they agree, findings are higher confidence.

Codex Invocation Details

codex exec \
  --sandbox read-only \
  --ephemeral \
  --output-schema codex-review-schema.json \
  -o "$output_file" \
  - < "$prompt_file"
  • Uses OpenAI’s published code review prompt (fine-tuned into model)
  • Diff is piped via stdin with the prompt
  • --output-schema produces structured JSON findings
  • -o captures only final message (no thinking/exec noise)
  • Falls back to gpt-5.2-codex on auth errors
  • Timeout: 600 seconds

Gemini Invocation Details

Uncommitted General Review

gemini -p "/code-review" --yolo -e code-review

Branch/Commit Diffs

git diff <scope> > /tmp/review-diff.txt
{ printf '%s\n\n' 'Review this diff for issues.'; cat /tmp/review-diff.txt; } \
  | gemini -p - --yolo -m gemini-3.1-pro-preview

Security Focus

# With custom security prompt piped to stdin
gemini -p - --yolo -m gemini-3.1-pro-preview -e gemini-cli-security
Safety Note: Gemini CLI is invoked with --yolo, which auto-approves all tool calls without confirmation. Required for headless operation.

Dependency Scanning

When security focus is selected AND the diff touches dependency manifest files, Claude also runs: 
/security:scan-deps
Manifest files detected:
  • package.json, package-lock.json, yarn.lock, pnpm-lock.yaml
  • requirements.txt, setup.py, pyproject.toml, uv.lock, poetry.lock
  • Cargo.toml, Cargo.lock
  • go.mod, go.sum
  • Gemfile, *.gemspec
  • composer.json, composer.lock
The scan is skipped if no manifest files are in the diff, since it analyzes the entire dependency tree (time-consuming with zero value when deps weren’t touched).

Usage Examples

User: /second-opinion

Claude: [asks 4 questions]

User: defaults (both tools, uncommitted, no context, general)

Claude: [shows diff stats: 3 files, +45 -10]

Claude: [runs codex exec and gemini in parallel]

Claude:
## Codex Review (gpt-5.3-codex)

### High Priority
- auth.py:45 - Missing input validation on username parameter

### Medium Priority
- db.py:123 - N+1 query in user lookup loop

## Gemini Review (gemini-3.1-pro-preview)

Found potential issues:
1. The username field in auth.py is not validated...
2. Consider adding rate limiting to the login endpoint...

## Summary
Both reviews flagged the missing input validation in auth.py:45.
Codex also identified a performance issue in db.py:123.

Error Handling

ErrorAction
codex: command not foundShow install: npm i -g @openai/codex
gemini: command not foundShow install: npm i -g @google/gemini-cli
Gemini extension missingShow install: gemini extensions install <url>
Model auth error (Codex)Retry with gpt-5.2-codex
Empty diffStop and inform user
TimeoutInform user, suggest narrowing scope
Tool partially unavailableRun only available tool, note the skip

Codex MCP Tools

This plugin bundles Codex CLI’s built-in MCP server (codex mcp-server), which auto-starts when the plugin is installed:
  • codex - Start new Codex session with prompt, model, sandbox, approval policy
  • codex-reply - Continue existing session by thread ID for multi-turn conversations
These tools work independently of the /second-opinion command. Use them for direct programmatic access to Codex.
  • Modern Python - Reviews can check for modern Python best practices
  • GH CLI - Can review branch diffs before opening PRs
  • Git Cleanup - Can review branches before cleanup

Build docs developers (and LLMs) love

Get started for freeTalk to us