Code Review
CrabCode's three-tier code review: local /review, cloud-deep /ultrareview, focused /security-review. Plus the GitHub App for writing results back to PRs.
What it is
CrabCode turns "have the AI review this change" into three commands at increasing cost / depth / runtime location:
| Command | Where it runs | Time | Depth | When to use |
|---|---|---|---|---|
/review | Local, in session | Seconds | Single agent pass | Pre-commit self-check; quick read of someone else's PR |
/ultrareview | CrabCode Web (cloud) | ~10–20 min | Multi-agent + verification | Risky changes, big PRs, suspected bugs |
/security-review | Local, in session | Medium | Single agent, security-focused | Last check before merge |
They complement each other, they don't substitute: /review gives you a "code-quality + general issues" snapshot, /ultrareview actually goes hunting for bugs with counterexamples, and /security-review targets exploitable vulnerabilities and filters out the usual noise (DoS, stale dependencies, rate limits, ...).
/review [PR#] — local baseline review
Runs in your current session, single agent end-to-end:
- No argument → runs
gh pr listto show open PRs - With a PR number →
gh pr view <n>+gh pr diff <n>to fetch details and diff - Outputs a structured review: overview / code quality / improvement suggestions / potential risks
Focuses on five axes: correctness, project conventions, performance, test coverage, security considerations.
Good for self-checking your own work after a code chunk, or speed-reading someone else's small PR. Seconds to tens of seconds, never leaves the terminal.
/ultrareview [PR#] — deep cloud review
Same shape as /review but runs in CrabCode on the web: your local CLI packages the current branch or target PR context, uploads it, and the cloud spins up multiple agents in parallel:
- Bug hunting — agents each run a hypothesis, write counterexample tests, verify whether the bug actually reproduces
- Deep reading — beyond the diff itself; reads relevant upstream/downstream modules
- Report — comes back with a trackable remote session link, results flow back to local
Typical time: 10–20 minutes. This is the "I have a real concern, worth spending subscription quota" path, not your daily PR self-check.
Entitlement gate
/ultrareview is gated on subscription + balance, with a local pre-check:
- Extra Usage not enabled →
Free ultrareviews used, with acosmi.com/settings/billing - Balance too low (< $10) → prompts to top up
- First paid launch → confirm dialog appears once; the "don't ask again" flag only persists after a non-aborted launch
- Esc during the ~5s launch window → cancels cleanly; no charge, no stale state
GitHub-only — non-GitHub repos fail fast.
/security-review — focused security review
Runs against the current branch's diff vs origin/HEAD. Key differences from generic review:
- Goal: find vulnerabilities with real exploitation potential — not generic code review
- Confidence bar: only reports findings it's > 80% confident are exploitable; theoretical / low-impact issues are dropped
- Hard exclusions: DoS / resource exhaustion, secrets at rest already protected by other processes, rate-limiting issues, memory-safety in memory-safe languages (Rust etc.), test-only files, documentation files, GitHub Action workflows without a controllable trigger path, outdated third-party libs (handled by a separate process), and more
Categories examined: injection (SQL / command / path traversal / XXE / ...), auth/authz bypasses, crypto & secrets management, code execution (deserialization / eval / XSS), data exposure.
Output format is fixed: # Vuln N: <category>: <file:line> + Severity / Description / Exploit Scenario / Recommendation.
How to run: /security-review on the current branch. No PR number required.
How to choose
- Done with a change, about to commit →
/review(fast local) - Self-check before opening a PR →
/review(baseline) +/security-review(security angle) - PR has a suspicious bug and reviewers can't pin it down →
/ultrareview(cloud multi-agent verification) - Last gate before merge →
/security-review
None of them substitutes another — /ultrareview is not a superset of /security-review (cloud agents target bugs, not the security taxonomy).
Writing results back to PRs
To turn review output into PR comments:
- Install the GitHub App via
/install-github-appso CrabCode has comment permissions - Pick the items you want to surface and post them with
gh pr review/gh pr comment
Or the other direction — /pr-comments pulls reviewer comments back into the local session so you can keep iterating. See Git Workflow.
Notes
- All three commands respect the git safety policy: no
git configwrites, no destructive ops, no skipping hooks /ultrareviewuploads current branch or PR content to a cloud session; privacy / data boundaries are covered in Data Usage and Security/security-reviewis purely local — no code leaves your machine
Related
- Git Workflow — feeds inputs to
/review//ultrareview - CrabCode on the web — cloud runtime for
/ultrareview - Settings — review-related config (subscription / model override)
- Security — security model behind
/security-review