how-to-guide

How the Engineering Plugin Assists with Code Review: Slash Commands and AI Workflows

May 30, 2026 anthropics/knowledge-work-plugins ↗

The Engineering plugin provides a structured code review workflow via the /review or /code-review slash commands, analyzing changes for security, performance, correctness, and style both as a standalone tool and within integrated development ecosystems.

The anthropics/knowledge-work-plugins repository delivers a dedicated Engineering plugin that automates systematic code analysis through natural language interfaces. By leveraging structured skill definitions and optional external connectors, this tool enables developers to execute consistent, reproducible reviews without manual checklist management.

Activating the Code Review Workflow

The plugin exposes two entry points for initiating analysis. According to engineering/README.md (lines 15-19), the /review command handles "Review code changes — security, performance, style, and correctness" while the explicit /code-review command documented in the same file (lines 30-33) provides identical functionality with clearer intent signaling.

Users supply input through three primary methods:

A pull request URL
A raw diff pasted directly into the conversation
A specific file path

The plugin parses the input context to determine execution mode, automatically selecting between standalone operation or enhanced analysis when connectors are detected.

Standalone Review Capabilities

Even without external integrations, the plugin performs comprehensive multi-dimensional analysis as defined in engineering/skills/code-review/SKILL.md (lines 30-35).

Security Auditing

The plugin executes OWASP Top 10 checks, identifying injection vulnerabilities, authentication bypasses, and authorization flaws. It scans for common attack vectors including SQL injection and unsafe deserialization patterns.

Performance Analysis

The review detects N+1 queries, potential memory leaks, and suboptimal algorithmic complexity. It flags patterns that could degrade runtime efficiency under load or scale.

Correctness Verification

Analysis examines edge-case handling, error propagation paths, and potential race conditions. The plugin validates logic robustness against boundary conditions and concurrent execution scenarios.

Style and Maintainability

The tool evaluates naming conventions, Single Responsibility Principle (SRP) adherence, and code duplication. It assesses whether implementations align with general software engineering best practices for long-term maintainability.

Super-Charged Reviews with Connectors

When the plugin detects configured connectors, it enters a super-charged mode documented in the "SUPERCHARGED" section of engineering/skills/code-review/SKILL.md (lines 37-41).

Source-control integration automatically fetches the PR diff, CI pipeline status, and test results to contextualize findings within the current build state. Project tracker connections link discovered issues to existing tickets or generate new tracking items automatically. Knowledge base access cross-references team-specific coding standards, Architecture Decision Records (ADRs), and historical review outcomes to ensure organizational consistency.

Structured Output Format

The plugin generates a standardized markdown report defined in engineering/skills/code-review/SKILL.md (lines 76-99). This structured output includes:

A brief executive summary with an overall verdict (approve or request changes)
A table of critical issues annotated with exact file paths, line numbers, detailed descriptions, and severity classifications
A categorized table of suggestions organized by performance, security, correctness, and maintainability dimensions
Positive observations highlighting well-implemented patterns and optional next steps for improvement

Iterative and Focused Reviews

As noted in the "Tips" section of engineering/skills/code-review/SKILL.md (lines 15-18), the plugin supports iterative refinement workflows. If no target is provided, the system prompts for clarification. Users can narrow analysis scope by requesting specific focus areas such as "focus on security" or "check for N+1 queries" to tailor the review to immediate concerns.

Practical Usage Examples

Review a specific PR using the shorthand command:

/review https://github.com/example/repo/pull/42

Analyze a raw diff pasted directly into the chat:

/code-review
--- a/src/utils.py
+++ b/src/utils.py
@@ -10,6 +10,9 @@
 def calculate(a, b):
-    return a + b
+    # Guard against overflow

+    if a > 2**31 or b > 2**31:
+        raise ValueError("Input too large")
+    return a + b

Execute a focused security audit by specifying constraints after the initial command:

/code-review https://github.com/example/repo/pull/57

# Follow-up prompt:

Focus on authentication and injection risks only.

Trigger automatic PR detection with connected source-control:

/review  # plugin pulls the latest open PR automatically

Summary

The Engineering plugin exposes /review and /code-review slash commands defined in engineering/README.md for initiating analysis
Standalone mode performs security, performance, correctness, and style audits without requiring external dependencies
Super-charged mode enriches reviews with real-time data from source-control systems, ticket trackers, and organizational knowledge bases
Output follows a structured markdown template with severity-graded findings, file references, and actionable suggestions
Users can focus reviews on specific technical concerns through iterative prompting as documented in the skill tips

Frequently Asked Questions

What slash commands trigger the Engineering plugin code review?

The /review and /code-review commands both initiate the workflow. The /review command is listed in engineering/README.md as the primary entry point, while /code-review provides an explicit alternative with identical functionality for users who prefer descriptive command names.

Can the Engineering plugin review code without external integrations?

Yes. In standalone mode, the plugin accepts raw diffs, PR URLs, or file paths to perform comprehensive analysis across security, performance, correctness, and style dimensions without requiring source-control or ticket-tracker connectors, as specified in engineering/skills/code-review/SKILL.md.

How does the plugin format its code review output?

According to engineering/skills/code-review/SKILL.md (lines 76-99), the plugin returns a markdown report containing an overall verdict, a table of critical issues with exact file and line references, categorized suggestions by severity and type, and positive observations about well-implemented patterns.

What types of security issues does the plugin detect?

The security audit checks against OWASP Top 10 vulnerabilities including injection flaws, authentication weaknesses, and authorization bypasses as specified in the code-review skill documentation, providing specific detection for common web application and API security risks.

Have a question about this repo?

These articles cover the highlights, but your codebase questions are specific. Give your agent direct access to the source. Share this with your agent to get started:

Share the following with your agent to get started:

curl -s "https://instagit.com/install.md"

Add to your MCP client configuration:

{
  "mcpServers": {
    "instagit": {
      "command": "npx",
      "args": ["-y", "instagit@latest"]
    }
  }
}

Ask your agent:

"Use Instagit MCP to understand how anthropics/knowledge-work-plugins works."

Works with

Claude Codex Cursor VS Code OpenClaw Any MCP Client

Maintain an open-source project? Get it listed too →