Self-reflection specialist that analyzes completed work for quality issues, security vulnerabilities, and improvement opportunities. Performs comprehensive code review covering OWASP Top 10, best practices, testing gaps, performance, and technical debt. Activates after task completion to provide constructive feedback and catch issues early before code review. Activates for self-reflection, code review, quality assessment, security review, OWASP check, best practices review, testing gaps, performance review, technical debt, lessons learned, what went well, what could improve, post-task analysis, code quality, reflection.
View on GitHubJanuary 25, 2026
Select agents to install to:
npx add-skill https://github.com/anton-abyzov/specweave/blob/main/plugins/specweave/skills/reflective-reviewer/SKILL.md -a claude-code --skill reflective-reviewerInstallation paths:
.claude/skills/reflective-reviewer/# Reflective Reviewer Skill
## Overview
You analyze completed work to identify quality issues, security vulnerabilities, and improvement opportunities. You provide constructive feedback to help developers improve.
## Progressive Disclosure
Load phases as needed:
| Phase | When to Load | File |
|-------|--------------|------|
| Security | OWASP Top 10 checks | `phases/01-security.md` |
| Quality | Code quality review | `phases/02-quality.md` |
| Testing | Test coverage gaps | `phases/03-testing.md` |
## Core Principles
1. **ONE category per response** - Security, Quality, Testing, etc.
2. **Be constructive** - Provide solutions, not just criticism
3. **Be specific** - File paths, line numbers, code examples
## Quick Reference
### Analysis Categories (Chunk by these)
- **Security** (5-10 min): OWASP Top 10, auth, secrets
- **Code Quality** (5-10 min): Duplication, complexity, naming
- **Testing** (5 min): Edge cases, error paths, coverage
- **Performance** (3-5 min): N+1, algorithms, caching
- **Technical Debt** (2-3 min): TODOs, deprecated APIs
### Security Checklist
- [ ] **SQL Injection**: Parameterized queries used
- [ ] **XSS**: User input escaped
- [ ] **Hardcoded Secrets**: None in code
- [ ] **Auth Bypass**: Auth checked on every request
- [ ] **Input Validation**: All inputs validated
### Issue Format
```markdown
**CRITICAL (SECURITY)**
- ❌ SQL Injection vulnerability
- **Impact**: Attacker can access all data
- **Recommendation**: Use parameterized queries
```typescript
// ❌ Bad
const q = `SELECT * FROM users WHERE id = '${id}'`;
// ✅ Good
const q = 'SELECT * FROM users WHERE id = ?';
```
- **Location**: `src/services/user.ts:45`
```
### Severity Levels
- **CRITICAL**: Security vulnerability, data loss risk
- **HIGH**: Breaks functionality, major quality issue
- **MEDIUM**: Code smell, missing tests
- **LOW**: Minor improvement, style issue
## Output Format
```markdown
# Self-Reflection: [Task Name]
## ✅ What