Codex Code Review (Codex)

Core Concepts

The Codex skill operates in three modes.

Mode 1: Code Review (codex review)

Reviews the current branch diff or specific files independently via the Codex CLI. The important point is that this review serves as a pass/fail gate. If Codex rules "fail," that diff is considered problematic and is automatically blocked in the ship skill pipeline.

Mode 2: Challenge (codex challenge)

Analyzes code "adversarially." It actively looks for edge cases, race conditions, security vulnerabilities, and faulty assumptions from the perspective of "how can this code be broken?" It is far more aggressive than a standard review.

Mode 3: Consult (codex consult)

Opens an interactive session with Codex to seek technical advice. Session continuity is supported, allowing follow-up questions while maintaining previous conversation context. Questions like "How would I apply the pattern you just mentioned to our project?" are possible.

When to Use

• When you want a second opinion from a different perspective than Claude before uploading a PR diff (codex review)
• When you need adversarial testing in the style of "attack my code as hard as possible — find the bugs" (codex challenge)
• When you need technical advice on the pros/cons of a particular implementation approach, algorithm choices, or library recommendations (codex consult)
• When you want to cross-verify code generated by Claude Code itself from an external perspective
• When receiving requests like "give me a codex review", "give me a second opinion", "ask codex"

The "200 IQ Autistic Developer" Metaphor

This expression used in the original skill compresses the characteristics of Codex. It means judging solely based on the logical correctness and safety of the code, without emotion and without social awareness. Team member reviews might be "soft feedback that considers feelings," but Codex is not.

One-Line Summary

A "second brain" skill that wraps the OpenAI Codex CLI within Claude Code to support code review, adversarial attack testing, and free-form questions. Like the nickname "200 IQ autistic developer," it logically finds weaknesses in code without emotion.

Getting Started

/codex

SKILL.md location: ~/.claude/skills/codex/SKILL.md

Copy and modify the SKILL.md content if customization is needed.

Practical Example

Scenario: You implemented a notice creation Server Action in a Next.js 15 + TypeScript "Student Club Notice Board" project. You've completed a first review with Claude Code, but want to verify once more from an external perspective before a team presentation.

Scenario A: Code Review Mode

> Use the codex review skill to check the current branch diff.
  Include a pass/fail verdict.

Code to be reviewed:

// app/actions/notice.ts
"use server";

export async function createNotice(formData: FormData) {
  const title = formData.get("title") as string;
  const body = formData.get("body") as string;

  // TODO: Add input validation
  const result = await db.notices.insert({
    title,
    body,
    authorId: getCurrentUserId(),
    createdAt: new Date(),
  });

  revalidatePath("/notices");
  redirect(`/notices/${result.id}`);
}

Issues Codex might identify:

• No input validation for title and body → FAIL (XSS/empty notices possible)
• Unclear whether getCurrentUserId() can be called even for unauthenticated users → FAIL
• redirect() is outside try-catch so there is no error handling path if DB fails → WARNING

Scenario B: Adversarial Attack Mode

> Use the codex challenge skill to attack the notices API route as hard as possible.
  Find all the ways this code can be broken.

// app/api/notices/route.ts
export async function GET(request: Request) {
  const { searchParams } = new URL(request.url);
  const page = parseInt(searchParams.get("page") || "1");
  const limit = parseInt(searchParams.get("limit") || "20");

  const notices = await db.notices.findMany({
    skip: (page - 1) * limit,
    take: limit,
    orderBy: { createdAt: "desc" },
  });

  return Response.json(notices);
}

Attack vectors Codex might find:

• What if page=-999999 or limit=99999? → Negative offset or DB overload
• page=abc becomes NaN, causing a Prisma error → abnormal response or 500
• limit=0 means take: 0 → always returns empty array, potential infinite loading UI bug
• All notices accessible without authentication → risk of exposing private notices

Scenario C: Technical Consultation Mode

> codex consult: I want to add a "like" feature to notices —
  what's the best way to implement optimistic updates in Next.js 15?

Follow-up questions (leveraging session continuity):

> How do I attach the useOptimistic pattern you just mentioned
  to our notice board's createNotice Server Action?

Learning Points / Common Pitfalls

• Claude review and Codex review are mutually complementary: Claude Code knows the entire project context and is good at judging "does this code fit our architecture?" Codex, on the other hand, looks at only the diff independently, so it sees "is this code itself safe?" from a different angle. Code that passes both reviews is far safer.
• Challenge mode is essential before presentations: Just before a team project presentation or hackathon submission, asking "break my code with the worst scenario" can help you discover unexpected bugs in advance.
• Consider integrating pass/fail gate into CI: The original skill uses codex review as a blocking step in the ship pipeline. Aim to add pnpm codex review as a PR check in GitHub Actions.
• Common pitfall — Verify Codex CLI installation: This skill requires the OpenAI Codex CLI to be installed locally. Check with codex --version first, and if not installed, install with npm install -g @openai/codex.
• Next.js 15 perspective: Missing input validation in Server Actions, missing authentication, and async/await error propagation patterns are things that Codex Challenge mode is particularly good at catching.

Related Resources

• review — Claude-based code review (complementary to Codex)
• requesting-code-review — How to request a code review
• cso — Security audit (OWASP, STRIDE threat modeling)

---

Field	Value
Source URL	https://docs.anthropic.com/en/docs/claude-code/skills
Author / Source	Anthropic
License	Commentary MIT, original for reference
Translation Date	2026-04-13