Adversarial Code Reviewer
Description
Adversarial code review skill that forces genuine perspective shifts through three hostile reviewer personas (Saboteur, New Hire, Security Auditor). Each persona MUST find at least one issue — no "LGTM" escapes. Findings are severity-classified and cross-promoted when caught by multiple personas.
Features
- Three adversarial personas — Saboteur (production breaks), New Hire (maintainability), Security Auditor (OWASP-informed)
- Mandatory findings — Each persona must surface at least one issue, eliminating rubber-stamp reviews
- Severity promotion — Issues caught by 2+ personas are promoted one severity level
- Self-review trap breaker — Concrete techniques to overcome shared mental model blind spots
- Structured verdicts — BLOCK / CONCERNS / CLEAN with clear merge guidance
Usage
/adversarial-review # Review staged/unstaged changes
/adversarial-review --diff HEAD~3 # Review last 3 commits
/adversarial-review --file src/auth.ts # Review a specific file
Examples
Example: Reviewing a PR Before Merge
/adversarial-review --diff main...HEAD
Produces a structured report with findings from all three personas, deduplicated and severity-ranked, ending with a BLOCK/CONCERNS/CLEAN verdict.
Problem This Solves
When Claude reviews code it wrote (or code it just read), it shares the same mental model, assumptions, and blind spots as the author. This produces "Looks good to me" reviews on code that a fresh human reviewer would flag immediately. Users report this as one of the top frustrations with AI-assisted development.
This skill forces a genuine perspective shift by requiring you to adopt adversarial personas — each with different priorities, different fears, and different definitions of "bad code."
Table of Contents
- Quick Start
- Review Workflow
- The Three Personas
- Severity Classification
- Output Format
- Anti-Patterns
- When to Use This
Quick Start
/adversarial-review # Review staged/unstaged changes
/adversarial-review --diff HEAD~3 # Review last 3 commits
/adversarial-review --file src/auth.ts # Review a specific file
Review Workflow
Step 1: Gather the Changes
Determine what to review based on invocation:
- No arguments: Run
git diff(unstaged) +git diff --cached(staged). If both empty, rungit diff HEAD~1(last commit). --diff <ref>: Rungit diff <ref>.--file <path>: Read the entire file. Focus review on the full file rather than just changes.
If no changes are found, stop and report: "Nothing to review."
Step 2: Read the Full Context
For every file in the diff:
- Read the full file (not just the changed lines) — bugs hide in how new code interacts with existing code.
- Identify the purpose of the change: bug fix, new feature, refactor, config change, test.
- Note any project conventions from CLAUDE.md, .editorconfig, linting configs, or existing patterns.
Step 3: Run All Three Personas
Execute each persona sequentially. Each persona MUST produce at least one finding. If a persona finds nothing wrong, it has not looked hard enough — go back and look again.
IMPORTANT: Do not soften findings. Do not hedge. Do not say "this might be fine but..." — either it's a problem or it isn't. Be direct.
Step 4: Deduplicate and Synthesize
After all three personas have reported:
- Merge duplicate findings (same issue caught by multiple personas).
- Promote findings caught by 2+ personas to the next severity level.
- Produce the final structured output.
The Three Personas
Persona 1: The Saboteur
Mindset: "I am trying to break this code in production."
Priorities:
- Input that was never validated
- State that can become inconsistent
- Concurrent access without synchronization
- Error paths that swallow exceptions or return misleading results
- Assumptions about data format, size, or availability that could be violated
- Off-by-one errors, integer overflow, null/undefined dereferences
- Resource leaks (file handles, connections, subscriptions, listeners)
Review Process:
- For each function/method changed, ask: "What is the worst input I could send this?"
- For each external call, ask: "What if this fails, times out, or returns garbage?"
- For each state mutation, ask: "What if this runs twice? Concurrently? Never?"
- For each conditional, ask: "What if neither branch is correct?"
You MUST find at least one issue. If the code is genuinely bulletproof, note the most fragile assumption it relies on.
Persona 2: The New Hire
Mindset: "I just joined this team. I need to understand and modify this code in 6 months with zero context from the original author."
Priorities:
- Names that don't communicate intent (what does
datamean? what doesprocess()do?) - Logic that requires reading 3+ other files to understand
- Magic numbers, magic strings, unexplained constants
- Functions doing more than one thing (the name says X but it also does Y and Z)
- Missing type information that forces the reader to trace through call chains
- Inconsistency with surrounding code style or project conventions
- Tests that test implementation details instead of behavior
- Comments that describe what (redundant) instead of why (useful)
Review Process:
- Read each changed function as if you've never seen the codebase. Can you understand what it does from the name, parameters, and body alone?
- Trace one code path end-to-end. How many files do you need to open?
- Check: would a new contributor know where to add a similar feature?
- Look for "the author knew something the reader won't" — implicit knowledge baked into the code.
You MUST find at least one issue. If the code is crystal clear, note the most likely point of confusion for a newcomer.
Persona 3: The Security Auditor
Mindset: "This code will be attacked. My job is to find the vulnerability before an attacker does."
OWASP-Informed Checklist:
| Category | What to Look For |
|---|---|
| Injection | SQL, NoSQL, OS command, LDAP — any place user input reaches a query or command without parameterization |
| Broken Auth | Hardcoded credentials, missing auth checks on new endpoints, session tokens in URLs or logs |
| Data Exposure | Sensitive data in error messages, logs, or API responses; missing encryption at rest or in transit |
| Insecure Defaults | Debug mode left on, permissive CORS, wildcard permissions, default passwords |
| Missing Access Control | IDOR (can user A access user B's data?), missing role checks, privilege escalation paths |
| Dependency Risk | New dependencies with known CVEs, pinned to vulnerable versions, unnecessary transitive dependencies |
| Secrets | API keys, tokens, passwords in code, config, or comments — even "temporary" ones |
Review Process:
- Identify every trust boundary the code crosses (user input, API calls, database, file system, environment variables).
- For each boundary: is input validated? Is output sanitized? Is the principle of least privilege followed?
- Check: could an authenticated user escalate privileges through this change?
- Check: does this change expose any new attack surface?
You MUST find at least one issue. If the code has no security surface, note the closest thing to a security-relevant assumption.
Severity Classification
| Severity | Definition | Action Required |
|---|---|---|
| CRITICAL | Will cause data loss, security breach, or production outage. Must fix before merge. | Block merge. |
| WARNING | Likely to cause bugs in edge cases, degrade performance, or confuse future maintainers. Should fix before merge |