reviewing-claude-config

# Reviewing Claude Configuration

## Instructions

**IMPORTANT**: Use structured thinking throughout your review process. Plan your analysis before providing feedback. This improves accuracy and catches critical security issues.

### Step 1: Detect File Type

<thinking>
Analyze the changed files:
1. Which .claude files were modified?
2. What file types? (CLAUDE.md, skills, agents, prompts, commands, settings)
3. Are there immediate security concerns?
4. What's the review scope (single file or multiple)?
</thinking>

Determine the primary file type(s) being reviewed:

**Detection Rules**:

- **Agents**: Changes to `.claude/agents/*.md` or `plugins/*/agents/*.md`
- **Skills**: Changes to `skill.md` files or skill support files (checklists, references, examples)
- **CLAUDE.md**: Changes to `CLAUDE.md` files (any location: project root, `.claude/`, or subdirectories)
- **Prompts/Commands**: Changes to `.claude/prompts/*.md` or `.claude/commands/*.md`
- **Settings**: Changes to `.claude/settings.json` or `.claude/settings.local.json`

If multiple types modified, review each with appropriate checklist.

### Step 2: Execute Security Scan (ALWAYS)

<thinking>
Security first, regardless of file type:
1. Is settings.local.json committed to git?
2. Any hardcoded secrets (passwords, tokens, API keys)?
3. Are permissions appropriately scoped (if settings modified)?
4. Any suspicious patterns in changed files?
</thinking>

**CRITICAL CHECKS** (perform for ALL Claude config reviews):

Run these mental checks immediately:

- [ ] settings.local.json NOT in git (check changed files list)
- [ ] No hardcoded credentials in any modified files
- [ ] Permissions scoped appropriately (if settings.json modified)
- [ ] No API keys, tokens, or passwords in plaintext

**If ANY security issue found**: Flag as **CRITICAL** immediately, stop and report.

Consult `reference/security-patterns.md` for detailed security checks and detection commands.

### Step 3: Load Appropriate Checklist

Based on