# How the Engineering Plugin Assists with Code Review: Slash Commands and AI Workflows > Streamline code reviews with the Engineering plugin. Use slash commands and AI workflows to analyze changes for security, performance, correctness, and style. Boost your development process today. - Repository: [Anthropic/knowledge-work-plugins](https://github.com/anthropics/knowledge-work-plugins) - Tags: how-to-guide - Published: 2026-05-30 --- **The Engineering plugin provides a structured code review workflow via the `/review` or `/code-review` slash commands, analyzing changes for security, performance, correctness, and style both as a standalone tool and within integrated development ecosystems.** The `anthropics/knowledge-work-plugins` repository delivers a dedicated Engineering plugin that automates systematic code analysis through natural language interfaces. By leveraging structured skill definitions and optional external connectors, this tool enables developers to execute consistent, reproducible reviews without manual checklist management. ## Activating the Code Review Workflow The plugin exposes two entry points for initiating analysis. According to [`engineering/README.md`](https://github.com/anthropics/knowledge-work-plugins/blob/main/engineering/README.md) (lines 15-19), the `/review` command handles "Review code changes — security, performance, style, and correctness" while the explicit `/code-review` command documented in the same file (lines 30-33) provides identical functionality with clearer intent signaling. Users supply input through three primary methods: - A pull request URL - A raw diff pasted directly into the conversation - A specific file path The plugin parses the input context to determine execution mode, automatically selecting between standalone operation or enhanced analysis when connectors are detected. ## Standalone Review Capabilities Even without external integrations, the plugin performs comprehensive multi-dimensional analysis as defined in [`engineering/skills/code-review/SKILL.md`](https://github.com/anthropics/knowledge-work-plugins/blob/main/engineering/skills/code-review/SKILL.md) (lines 30-35). ### Security Auditing The plugin executes **OWASP Top 10 checks**, identifying injection vulnerabilities, authentication bypasses, and authorization flaws. It scans for common attack vectors including SQL injection and unsafe deserialization patterns. ### Performance Analysis The review detects **N+1 queries**, potential memory leaks, and suboptimal algorithmic complexity. It flags patterns that could degrade runtime efficiency under load or scale. ### Correctness Verification Analysis examines **edge-case handling**, error propagation paths, and potential race conditions. The plugin validates logic robustness against boundary conditions and concurrent execution scenarios. ### Style and Maintainability The tool evaluates naming conventions, Single Responsibility Principle (SRP) adherence, and code duplication. It assesses whether implementations align with general software engineering best practices for long-term maintainability. ## Super-Charged Reviews with Connectors When the plugin detects configured connectors, it enters a super-charged mode documented in the "SUPERCHARGED" section of [`engineering/skills/code-review/SKILL.md`](https://github.com/anthropics/knowledge-work-plugins/blob/main/engineering/skills/code-review/SKILL.md) (lines 37-41). **Source-control integration** automatically fetches the PR diff, CI pipeline status, and test results to contextualize findings within the current build state. **Project tracker connections** link discovered issues to existing tickets or generate new tracking items automatically. **Knowledge base access** cross-references team-specific coding standards, Architecture Decision Records (ADRs), and historical review outcomes to ensure organizational consistency. ## Structured Output Format The plugin generates a standardized markdown report defined in [`engineering/skills/code-review/SKILL.md`](https://github.com/anthropics/knowledge-work-plugins/blob/main/engineering/skills/code-review/SKILL.md) (lines 76-99). This structured output includes: - A brief executive summary with an overall verdict (**approve** or **request changes**) - A table of **critical issues** annotated with exact file paths, line numbers, detailed descriptions, and severity classifications - A categorized table of **suggestions** organized by performance, security, correctness, and maintainability dimensions - Positive observations highlighting well-implemented patterns and optional next steps for improvement ## Iterative and Focused Reviews As noted in the "Tips" section of [`engineering/skills/code-review/SKILL.md`](https://github.com/anthropics/knowledge-work-plugins/blob/main/engineering/skills/code-review/SKILL.md) (lines 15-18), the plugin supports iterative refinement workflows. If no target is provided, the system prompts for clarification. Users can narrow analysis scope by requesting specific focus areas such as "focus on security" or "check for N+1 queries" to tailor the review to immediate concerns. ## Practical Usage Examples Review a specific PR using the shorthand command: ```markdown /review https://github.com/example/repo/pull/42 ``` Analyze a raw diff pasted directly into the chat: ```markdown /code-review --- a/src/utils.py +++ b/src/utils.py @@ -10,6 +10,9 @@ def calculate(a, b): - return a + b + # Guard against overflow + if a > 2**31 or b > 2**31: + raise ValueError("Input too large") + return a + b ``` Execute a focused security audit by specifying constraints after the initial command: ```markdown /code-review https://github.com/example/repo/pull/57 # Follow-up prompt: Focus on authentication and injection risks only. ``` Trigger automatic PR detection with connected source-control: ```markdown /review # plugin pulls the latest open PR automatically ``` ## Summary - The Engineering plugin exposes `/review` and `/code-review` slash commands defined in [`engineering/README.md`](https://github.com/anthropics/knowledge-work-plugins/blob/main/engineering/README.md) for initiating analysis - **Standalone mode** performs security, performance, correctness, and style audits without requiring external dependencies - **Super-charged mode** enriches reviews with real-time data from source-control systems, ticket trackers, and organizational knowledge bases - Output follows a structured markdown template with severity-graded findings, file references, and actionable suggestions - Users can focus reviews on specific technical concerns through iterative prompting as documented in the skill tips ## Frequently Asked Questions ### What slash commands trigger the Engineering plugin code review? The `/review` and `/code-review` commands both initiate the workflow. The `/review` command is listed in [`engineering/README.md`](https://github.com/anthropics/knowledge-work-plugins/blob/main/engineering/README.md) as the primary entry point, while `/code-review` provides an explicit alternative with identical functionality for users who prefer descriptive command names. ### Can the Engineering plugin review code without external integrations? Yes. In standalone mode, the plugin accepts raw diffs, PR URLs, or file paths to perform comprehensive analysis across security, performance, correctness, and style dimensions without requiring source-control or ticket-tracker connectors, as specified in [`engineering/skills/code-review/SKILL.md`](https://github.com/anthropics/knowledge-work-plugins/blob/main/engineering/skills/code-review/SKILL.md). ### How does the plugin format its code review output? According to [`engineering/skills/code-review/SKILL.md`](https://github.com/anthropics/knowledge-work-plugins/blob/main/engineering/skills/code-review/SKILL.md) (lines 76-99), the plugin returns a markdown report containing an overall verdict, a table of critical issues with exact file and line references, categorized suggestions by severity and type, and positive observations about well-implemented patterns. ### What types of security issues does the plugin detect? The security audit checks against **OWASP Top 10** vulnerabilities including injection flaws, authentication weaknesses, and authorization bypasses as specified in the code-review skill documentation, providing specific detection for common web application and API security risks.