skill-reviewer
Reviews and improves Claude Code skills against official best practices. Supports three modes - self-review (validate your own skills), external review (evaluate others' skills), and auto-PR (fork, improve, submit). Use when checking skill quality, reviewing skill repositories, or contributing improvements to open-source skills.
How do I install this agent skill?
npx skills add https://github.com/daymade/claude-code-skills --skill skill-reviewerIs this agent skill safe to install?
- Gen Agent Trust Hubfail
This skill instructs the agent to install a plugin from an unverified third-party GitHub repository and subsequently executes Python scripts from that plugin. This pattern represents a high-risk remote code execution vector. Additionally, the skill processes external repositories without sanitization, creating a surface for indirect prompt injection.
- Socketpass
No alerts
- Snykwarn
Risk: MEDIUM · No issues
- Runlayerwarn
5/5 files flagged
- ZeroLeakspass
Score: 93/100 · 2 sections analyzed
What does this agent skill do?
Skill Reviewer
Review and improve Claude Code skills against official best practices.
Quick Start
Run the bundled reviewer with PyYAML declared explicitly through uv:
uv run --with PyYAML python <this-skill-path>/scripts/review_skill.py <target-skill-path>
uv run --with PyYAML python <this-skill-path>/scripts/review_skill.py <target-skill-path> --json
The reviewer delegates YAML, schema, and internal-path validation to the canonical skill-creator validator bundled in the same suite. It then checks frontmatter quality, directory structure, SKILL.md size, hardcoded paths and secrets, script hygiene, subagent_type validity, and instruction-style heuristics.
Interpret exit codes as follows: 0 = clean, 1 = warnings only, 2 = review errors, 3 = invocation or runtime failure. Codes 1 and 2 describe the target skill; code 3 means the reviewer could not complete a trustworthy review.
Use the sibling skill-creator scripts for the deeper security scan and packaging checks.
Three Modes
Mode 1: Self-Review
Check your own skill before publishing.
Automated review:
uv run --with PyYAML python <this-skill-path>/scripts/review_skill.py <target-skill>
Extended security validation:
# Security scan
uv run python <this-skill-path>/../skill-creator/scripts/security_scan.py <target-skill> --verbose
Manual evaluation: See references/evaluation_checklist.md.
Mode 2: External Review
Evaluate someone else's skill repository.
Review Workflow:
- [ ] Clone repository to /tmp/
- [ ] Read ALL documentation first
- [ ] Identify author's intent
- [ ] Run evaluation checklist
- [ ] Generate improvement report
Mode 3: Auto-PR
Fork, improve, and submit PR to external skill repository.
Auto-PR Workflow:
- [ ] Fork repository (gh repo fork)
- [ ] Create feature branch
- [ ] Apply additive improvements only
- [ ] Self-review: respect check passed?
- [ ] Create PR with detailed explanation
Evaluation Checklist (Quick)
| Category | Check | Status |
|---|---|---|
| Frontmatter | name present? | |
| description present? | ||
| description in third-person? | ||
| includes trigger conditions? | ||
| Instructions | imperative form? | |
| under 500 lines? | ||
| workflow pattern? | ||
| Resources | no hardcoded paths? | |
| scripts have error handling? |
Full checklist: references/evaluation_checklist.md
Core Principle: Additive Only
When improving external skills, NEVER:
- Delete existing files
- Remove functionality
- Change primary language
- Rename components
ALWAYS:
- Add new capabilities
- Preserve original content
- Explain every change
❌ "Removed metadata.json (non-standard)"
✅ "Added marketplace.json (metadata.json preserved)"
❌ "Rewrote README in English"
✅ "Added README.en.md (Chinese preserved as default)"
Common Issues & Fixes
Issue: Description Not Third-Person
# Before
description: Browse YouTube videos and summarize them.
# After
description: Browses YouTube videos and generates summaries. Use when...
Issue: Missing Trigger Conditions
# Before
description: Processes PDF files.
# After
description: Extracts text from PDFs. Use when working with PDF files or when the user mentions PDFs, forms, or document extraction.
Issue: No Workflow Pattern
Add checklist for complex tasks:
## Workflow
Copy this checklist:
\`\`\`
Task Progress:
- [ ] Step 1: ...
- [ ] Step 2: ...
\`\`\`
Issue: Missing Marketplace Support
Adding or validating marketplace.json (plugin boundaries, source/skills
layout, whether skills are independently toggleable) is the marketplace-dev
skill's domain — don't author it from a template here. Invoke
daymade-claude-code:marketplace-dev, then follow its workflow and its cache
and source patterns reference.
PR Guidelines
When submitting PRs to external repos:
Tone
❌ "Your skill doesn't follow best practices"
✅ "This PR aligns with best practices for better discoverability"
❌ "Fixed the incorrect description"
✅ "Improved description with trigger conditions"
Required Sections
- Summary - What this PR does
- What's NOT Changed - Show respect for original
- Rationale - Why each change helps
- Test Plan - How to verify
Template: references/pr_template.md
Self-Review Checklist
Before submitting any PR:
Respect Check:
- [ ] No files deleted?
- [ ] No functionality removed?
- [ ] Original language preserved?
- [ ] Author's design decisions respected?
- [ ] All changes are additive?
- [ ] PR explains the "why"?
References
scripts/review_skill.py- Automated reviewer backed byskill-creatorvalidationreferences/evaluation_checklist.md- Full evaluation checklistreferences/pr_template.md- PR description template- Best practices: https://platform.claude.com/docs/en/agents-and-tools/agent-skills/best-practices
How can the creator link this skill?
Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.
<a href="https://skillzs.dev/skills/daymade/claude-code-skills/skill-reviewer">View skill-reviewer on skillZs</a>