paskals/ai-assist
Overview
This skill uses OpenAI's Codex CLI as an independent code reviewer to deliver a second opinion on code, architecture, specifications, and pull requests. It runs Codex in a read-only sandbox (GPT-5-Codex) to produce unbiased, non-interactive reviews that complement the primary reviewer. The output is synthesized with the primary analysis to highlight agreements, disagreements, and actionable recommendations.
How this skill works
I run codex exec with --model gpt-5-codex and --sandbox read-only to invoke an isolated Codex agent that inspects files, diffs, or docs. Codex returns structured feedback (optionally JSON) describing security issues, bugs, performance concerns, and architectural problems. I then compare Codex's findings with my own review to produce a concise synthesis: summary, key issues, recommendations, and points of disagreement.
When to use it
- When you request a second opinion or independent review of code
- Before merging pull requests that need extra scrutiny
- To validate complex architecture or design decisions
- To check specifications against implementation for correctness
- When you need focused reviews for security, performance, or correctness
Best practices
- Always run Codex in --sandbox read-only for review-only workflows
- Be specific in prompts: define scope, language, and priorities (security, performance, etc.)
- For large codebases, review in focused segments and run multiple targeted calls
- Request structured output (--json or --output-schema) for programmatic parsing
- Capture session IDs for multi-turn follow-ups and resume when needed
Example use cases
- Review a specific file for authentication vulnerabilities and edge cases using codex exec and provide line-level feedback
- Run a PR review: git diff main...HEAD then have Codex flag breaking changes, test coverage gaps, and security risks
- Compare SPEC.md with src/ implementation to identify deviations and missing features
- Perform an architecture review of docs/ARCHITECTURE.md and src/ to surface inconsistencies and propose alternatives
- Run focused scans on database code to detect SQL injection, connection pooling, and transaction handling issues
FAQ
Yes. The Codex CLI must be installed and authenticated (codex in PATH or CODEX_API_KEY set) before invoking reviews.
Can Codex modify files during review?
No. Use --sandbox read-only for review workflows. Never use --full-auto or workspace-write when you want a non-modifying review.
How do I get machine-readable results?
Use --json or --output-schema to receive structured output suitable for jq or automated post-processing.