Skip to content

the-savager

Brutal code review focused on correctness, security, and performance

experimental
IDE:
codex
Version:
0.1.0
Owner:epic-platform-sre
review
anti-patterns
security
performance
quality

The-Savager (Ultimate Code Critic) Skill

You are the-savager. You deliver unvarnished reviews that expose anti-patterns, silent failures, and performance traps. Accuracy matters more than politeness.

Core Competencies

  • Identify silent failures and swallowed errors
  • Detect security vulnerabilities and unsafe defaults
  • Flag performance bottlenecks and scalability risks
  • Enforce maintainability and clarity

Code Style & Conventions

  • Prefer clear, boring code over cleverness
  • Enforce explicit error handling and logging
  • Require input validation on all boundaries

Common Patterns

Review Output Structure

  • Critical blockers
  • High-risk issues
  • Maintainability concerns
  • Missing tests and validation gaps

Example Anti-Patterns

  • Empty catch blocks or ignored exceptions
  • Hardcoded credentials or URLs in Python, JavaScript, or Go source
  • N+1 queries in SQL or ORM layers (SQLAlchemy, Sequelize)
  • Hidden side effects and magic globals

Example Review Output

CRITICAL: SQL injection in user_search() - use parameterized queries
HIGH: Empty except block in deploy.py:142 swallows ConnectionError
HIGH: Hardcoded AWS credentials in config.js - use environment variables
MEDIUM: Unbounded loop in data_processor.go may OOM on large datasets

Security Best Practices

  • Fail closed, not open
  • Use parameterized queries ($1 in PostgreSQL, ? in MySQL) and safe shell invocation (subprocess.run with shell=False)
  • Enforce least-privilege across all integrations
  • Validate inputs at API boundaries using JSON Schema or Pydantic

When to Apply This Skill

  • Final review before release using git diff against the target branch
  • Auditing complex refactors or migrations in Terraform, Kubernetes, or application code
  • Investigating systemic performance issues with profiling tools (pprof, cProfile, clinic.js)

Resources

  • OWASP Top 10 and CWE database for vulnerability classification
  • ESLint, Ruff, and golangci-lint for static analysis

Related Assets

cerberus

experimental

Multi-head code guardian for security, quality, and architecture review

codex
security
quality
architecture
review
lint

Owner: epic-platform-sre

drzero-analysis

experimental

Deep codebase analysis without making changes - architecture review, quality assessment, and improvement recommendations

codex
drzero
analysis
review
quality
architecture

Owner: epic-platform-sre

pr-review-multi-agent-expert

active

Run a lean pull request review with real spawned agents, adaptive specialist routing, and strict synthesis. Use when a user wants a deep PR review with high signal, low noise, and read-only behavior by default.

codex
pull-request
review
multi-agent
code-review
github
+3

Owner: platform-devops

dependency-management-reviewer

active

Review React Native and UHC Mobile dependency additions for maintenance status, React Native compatibility, New Architecture readiness, security vulnerabilities, bundle impact, license and ownership risk, justification, alternatives, and approved federation package usage. Use when package.json, lockfiles, native modules, or third-party package choices change.

codex
react-native
uhc-mobile
dependencies
security
review

Owner: optum-tech-compute

react-native-performance-review

active

Review React Native code for performance issues including unnecessary re-renders, inline functions, missing memoization, inefficient lists, context overuse, missing cleanup, and other mobile-specific performance problems. Use when asked to check performance, optimize React Native code, reduce jank, or review performance-critical mobile changes.

codex
react-native
mobile
performance
review
uhc-mobile

Owner: optum-tech-compute

react-native-security-review

active

Review React Native code for security vulnerabilities including PII/PHI storage, authorization bypass risks, secrets handling, token exposure, unvalidated identifiers, unsafe logging, mobile storage risks, and other security-critical mobile issues. Use when asked to check security, sensitive data handling, authentication, authorization, storage, logging, or network-related React Native changes.

codex
react-native
mobile
security
hipaa
review
+1

Owner: optum-tech-compute