simplify, review, security-review (Built-in)
Three built-in Claude Code skills focused on code quality: /simplify (review changed code for reuse, quality, efficiency, then propose fixes), /review (one-line severity-tagged findings on a PR or diff), /security-review (security audit of pending branch changes — OWASP-style).
review / simplify / security-review are three different code reviewers — /review is the senior who catches bugs, /simplify is the architect who hates duplication, /security-review is the SOC-2 auditor who flags every secret. Pick by what you fear most.
/simplify scans recent edits and flags over-abstraction, dead code, premature optimization, and helper functions with one caller. /review summarizes a diff with terse findings: location, problem, fix — no praise, no scope creep. /security-review specifically targets injection (SQL, XSS, command), auth bypass, secrets leakage, unsafe deserialization, and dependency vulnerabilities. All three are read-only by default; they suggest changes but don't apply them without confirmation.
/review uses a strict output format: `path:line: <severity>: <problem>. <fix>.` — keeps comments dense and skimmable. /security-review checklists OWASP Top 10 + framework-specific risks (Express middleware ordering, SQLi via raw queries, hardcoded secrets, unsafe pickle/eval, missing auth on internal endpoints). /simplify is the most opinionated — it flags premature abstraction (helper for one caller), error handling for impossible cases, and over-engineered config flags it considers YAGNI. For long PRs that would blow context, pair /review with the cavecrew-reviewer subagent so the findings come back compressed.
Three built-in skills I lean on: /simplify reviews recent edits for over-abstraction, dead code, and premature optimization, then proposes refactors; /review summarizes a diff with one-line severity-tagged findings using a strict format that's skimmable on big PRs; /security-review audits the pending branch for OWASP Top 10 issues, secrets, and dependency vulnerabilities. They're read-only — they suggest, they don't apply. I pair /review with cavecrew-reviewer when the diff is large enough that uncompressed feedback would blow my context window.
Treating /simplify output as commands. It optimizes for code quality in isolation — sometimes its proposed refactor breaks an invariant only the human knows about (a deliberate redundancy, a contract with a downstream system). Read suggestions; don't blindly apply.