Governed Vibecoding vs Unmanaged AI CodingRead Now →
Skip to main content

Code Review Skill

Build a reusable code review skill for AI agents with inputs, outputs, SKILL.md outline, governance controls, and quality checks.

11 min read
Axiom Studio Team· Engineering

What This Skill Does

Target user

Engineering teams that want repeatable AI-assisted code reviews before human approval.

Search intent

Learn how to structure an AI-agent code review skill without handing the agent broad merge authority.

Use When

  • A pull request or local diff needs a structured correctness, scope, test, and maintainability review.
  • A team keeps pasting the same code-review checklist into agent prompts.
  • Review findings must be reported in a consistent format for humans.

Do Not Use When

  • The change has no diff or artifact for the agent to inspect.
  • The agent is expected to approve, merge, or deploy without a human gate.
  • The review requires access to secrets, private customer data, or production systems.

Required Inputs

  • Git diff or pull request diff.
  • Relevant issue, todo, or acceptance criteria.
  • Test commands and existing review policy.
  • Known risky files or ownership boundaries.

Expected Outputs

  • Ordered findings with file and line references.
  • Severity labels and concrete reproduction or reasoning.
  • Missing-test notes and residual risk.
  • Short pass/fail recommendation for human reviewers.

A code review skill turns a team's review rubric into a reusable AI-agent workflow. It helps an agent inspect a diff, identify concrete risks, and return a report that a human can act on.

The skill should not become an auto-approver. Its job is to improve review consistency and catch issues early while preserving human ownership over merge and release decisions.

Review Workflow

Skill example

The workflow starts with the work item and diff, then maps touched files to callers and runtime paths. After that, the agent reviews behavior, tests, error handling, data exposure, and maintainability.

The report should lead with findings. Summaries and praise dilute the review signal; they belong after concrete risks, not before.

Skill Folder and SKILL.md Outline

Skill example

Keep the main SKILL.md short enough that the agent can absorb it every time the skill loads. Longer severity rules and examples belong in references or templates.

The outline below is intentionally non-executable. It gives the model a repeatable review contract without granting merge authority.

Suggested Folder Files

1

SKILL.md - trigger, review workflow, output format, and stop conditions.

2

references/review-policy.md - team-specific severity definitions and review rubric.

3

templates/review-report.md - consistent finding/report structure.

4

examples/good-review.md - a model answer for calibration.

Illustrative SKILL.md outline

---
name: code-review
description: Review code diffs for correctness, scope, tests, security-adjacent risk, and maintainability before human approval.
---
1. Read the work item, acceptance criteria, and diff.
2. Map touched files to owners, callers, and runtime paths.
3. List findings first, ordered by severity, with file and line references.
4. Call out missing tests and residual risk.
5. Do not approve, merge, deploy, or modify code unless a separate work item asks for a fix.

No unsafe executable examples

This outline is intentionally non-executable. Add helper scripts only after security review, provenance checks, and platform-specific permission review.

Platform Compatibility Notes

Skill example

The same review workflow can be adapted across Claude, Codex, OpenCode, and OpenClaw, but folder paths, discovery, and permission controls differ.

Treat the skill concept as portable and the installation mechanics as platform-specific.

Platform Compatibility Notes

1

Claude Code: place project-specific versions under .claude/skills/code-review/SKILL.md when the workflow is Claude-only.

2

Codex: use .agents/skills/code-review/SKILL.md for repo-scoped Codex workflows; keep AGENTS.md for standing repo policy.

3

OpenCode: permission rules can allow, deny, or ask before the skill loads.

4

OpenClaw: treat third-party review skills as untrusted and verify any referenced helper before enabling.

Governance Controls

Skill example

Code review skills affect software quality decisions, so their output should be traceable to a work item, diff, skill version, and human reviewer.

The strongest control is explicit scope: review only, no merge, no deploy, and no silent fixes inside the same workflow.

Governance Controls

1

Require code-owner approval for changes suggested by the skill.

2

Log the active skill version with the review output.

3

Forbid automatic merge or deploy from the review skill.

4

Review and version the review rubric like source code.

Quality Checklist

1

Findings are specific and cite a file or line.

2

The report separates bugs from style preferences.

3

The skill checks acceptance criteria and test coverage.

4

The output states when no blocking issues were found.

Govern the code review skill through tracked work

VibeFlow ties reusable agent skills to work items, execution logs, commits, security review, QA, and durable context so teams can see which workflow influenced each change.

See VibeFlow

Ready to get started?

See how Axiom Studio can transform your AI infrastructure with enterprise-grade governance, security, and cost optimization.

Contact Us

Continue Learning

What Are Agent Skills?

The shared model for reusable SKILL.md workflows.

Security Review Skill

A deeper security-focused review pattern.

Codex Agent Skills

How Codex loads reusable skills and AGENTS.md context.

Agent Skill Security

How to govern skills that influence code and tools.