AI Skill Report Card
Conducting Technical Reviews
Technical Review Framework
Quick Start15 / 15
For Code:
Python# Review this function def get_user(user_id): query = f"SELECT * FROM users WHERE id = {user_id}" return db.execute(query).fetchone()
Immediate Output:
- Critical: SQL injection via string interpolation (file:line 2)
- Fix: Use parameterized queries:
"SELECT * FROM users WHERE id = %s", (user_id,)
For n8n Workflows:
- Identify trigger type, security posture, error handling gaps
- Flag missing retries, timeouts, and observability
Recommendation▾
Condense the extensive checklists - they're comprehensive but make the skill quite long. Consider grouping related items or creating abbreviated versions.
Standard Output Template
Mode: [code_review | n8n_workflow | hybrid]
Environment: [runtime/versions, deployment, constraints]
Assumptions: [trust boundaries, data sensitivity, missing context]
Executive Summary
Must fix before merge/go-live (Blockers):
- [Critical/High items]
Should fix soon:
- [Medium items]
Nice to have:
- [Low/Info improvements]
Findings (by Category)
Security
- Finding: [What is wrong]
- Severity: [Critical/High/Medium/Low/Info] (Impact: X × Likelihood: Y)
- Why it matters: [Business/technical risk]
- Evidence: [file:line OR node/config reference]
- Recommendation: [Concrete fix]
- Example fix: [Minimal snippet or node config]
Correctness & Reliability
[Same structure]
Performance
[Same structure]
Architecture & Maintainability
[Same structure]
Observability & Ops Readiness
[Same structure]
Validation Plan
- Unit tests: [specific test cases]
- Integration tests: [end-to-end flows]
- Staging/Prod validation: [rollout plan, metrics to watch, rollback]
Review Workflow
Progress:
- Scope Analysis: Identify review type, environment, assumptions
- Security Scan: Run through security checklist systematically
- Reliability Check: Verify error handling, retries, edge cases
- Performance Review: Identify bottlenecks and scaling issues
- Architecture Assessment: Evaluate maintainability and design
- Severity Triage: Categorize findings into Blocker/Should Fix/Nice-to-have
- Validation Planning: Define testing and rollout strategy
Review Checklists
Code Review Checklist
Security
- Input validation/sanitization, injection (SQL/NoSQL/command), XSS/CSRF
- Authentication/authorization (object-level checks / IDOR)
- Secrets handling, PII exposure, logging redaction
- SSRF, unsafe deserialization, path traversal
Correctness & Reliability
- Edge cases, null handling, error conditions
- Concurrency/races, atomic operations, idempotency
- Data consistency, invariants, retries/timeouts
Performance
- Complexity, hot paths, N+1 queries
- Memory allocations, blocking operations, batching/caching
- Backpressure, connection pooling
Architecture & Maintainability
- Separation of concerns, coupling, dependency direction
- Interface contracts, cohesion, modularity
- Testability and future change cost
n8n Workflow Checklist
Trigger & Security
- Webhook authentication/signature verification (if applicable)
- Credential scope (least privilege), no secrets/PII in logs
- Input validation / schema enforcement at ingress
Reliability
- Retries with exponential backoff + max attempts
- Timeouts configured for external calls
- Idempotency key / dedup strategy (and persistent state if needed)
- Error handling: error branch or Error Trigger workflow + alerting
Performance
- Split In Batches for large datasets
- Rate limiting / concurrency controls
- Payload minimization (remove unused fields early)
Observability & Ops
- Alerting (Slack/Email), run metadata, correlation/run IDs
- Dead-letter storage + replay strategy
- Runbook notes and rollback strategy
Examples18 / 20
Example 1: Code Security Issue
Input:
Pythondef get_user(user_id): query = f"SELECT * FROM users WHERE id = {user_id}" return db.execute(query).fetchone()
Output:
- Finding: SQL injection via string interpolation
- Severity: Critical (Impact: High × Likelihood: High)
- Why it matters: Attacker may read/modify arbitrary data
- Evidence: get_user():L2 f-string interpolation in SQL
- Example fix:
Pythondef get_user(user_id): query = "SELECT * FROM users WHERE id = %s" return db.execute(query, (user_id,)).fetchone()
Example 2: n8n Reliability Issue
Input: HTTP Request node calls API with no retry/backoff
Output:
- Finding: Missing retry/backoff for transient API failures
- Severity: High (Impact: High × Likelihood: Medium)
- Why it matters: Temporary outages break workflow and cause lost processing
- Evidence: Node "HTTP Request": retry disabled / no backoff
- Example fix: Enable retries (3 max), exponential backoff (1000ms), 30s timeout
Recommendation▾
The Standard Output Template section could be more concise - it's detailed but might overwhelm users who want to start reviewing quickly.
Best Practices
- Start with security - Always check for injection, auth bypasses, secrets exposure
- Think like an attacker - What would break if malicious input was provided?
- Consider failure modes - Network timeouts, service unavailability, race conditions
- Severity = Impact × Likelihood - Critical issues block deployment
- Provide concrete fixes - Show exact code or configuration changes
- Include validation strategy - How to test the fixes work
Common Pitfalls
- Missing the forest for the trees - Don't focus only on style; find real risks
- Inconsistent severity - Use the same scale across all findings
- Vague recommendations - "Improve error handling" vs "Add try/catch with exponential backoff"
- Ignoring operational concerns - Code works in dev but fails in production
- Over-engineering - Don't suggest complex solutions for simple problems