Get expert AI-powered code reviews from multiple models (Codex and Gemini) integrated into Claude Code to automatically catch bugs, security vulnerabilities, and design problems.
Core Capabilities:
Check CLI status - Verify which code review CLIs (Codex/OpenAI and Gemini) are installed and available
Review code snippets - Submit code directly as a string with optional context for immediate analysis
Review specific files - Analyze individual files by path for comprehensive feedback
Review entire directories - Scan all code files in a directory for project-wide assessment
Multi-reviewer selection - Choose Codex, Gemini, or both reviewers for different perspectives
Contextual reviews - Provide optional context to help reviewers understand the code's purpose
Key Features:
Fast parallel processing - Get reviews in ~5 seconds per 100 lines by running CLIs simultaneously
Comprehensive detection - Identifies critical security vulnerabilities (SQL injection, XSS, hardcoded secrets), runtime bugs, performance issues, and design flaws
Prioritized findings - Issues categorized by severity (Critical/High/Medium/Low)
Smart validation - Filters out unhelpful responses like code rewrites and off-topic feedback
Multi-language support - Works with 15+ languages including JavaScript, TypeScript, Python, Ruby, Go, Java, C/C++, C#, PHP, Swift, Kotlin, and Rust
Integrates with Google's Gemini CLI to provide comprehensive code reviews, evaluating bugs, edge cases, best practices, and offering detailed improvement suggestions
Integrates with OpenAI's Codex CLI to provide senior-level code reviews, analyzing code quality, security vulnerabilities, performance issues, and providing prioritized recommendations
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Review MCP Serverreview this authentication function for security issues"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Review MCP Server
Get expert code reviews from multiple AI models integrated into Claude Code. Catches bugs, security issues, and design problems automatically.
Quick Start
git clone https://github.com/je4550/review-mcp.git
cd review-mcp
npm install
npm run buildConfigure Claude Code - Add to ~/.config/claude-code/mcp.json:
{
"mcpServers": {
"review-mcp": {
"command": "node",
"args": ["/absolute/path/to/review-mcp/dist/index.js"]
}
}
}Set up a reviewer CLI (at least one):
# Option 1: Codex CLI (recommended)
codex --version # If you already have it
# Option 2: OpenAI CLI
npm install -g openai
# No API key needed if logged in with ChatGPT subscription
# Otherwise: export OPENAI_API_KEY="sk-..."
# Option 3: Gemini CLI
npm install -g @google/gemini-cli
# No API key needed if logged in with Google account
# Otherwise: export GOOGLE_API_KEY="..."Restart Claude Code and you're ready!
Usage
Just ask Claude naturally:
"Review this authentication function"
"Get a second opinion on src/auth.ts"
"Check the payment processing code for security issues"
"Review all files in the api/ directory"Claude will get reviews from Codex/Gemini, analyze them, and present comprehensive feedback.
What You Get
Real Results from Testing
100-line authentication service:
Found: 6 critical security issues
SQL injection (5 locations), hardcoded secrets, insecure random, missing JWT expiration
Time: ~5 seconds
Payment processing module:
Found: 5 issues (2 critical, 2 high, 1 medium)
Hardcoded API keys, SQL injection, missing transactions, floating point errors
Time: ~4 seconds
React component (90 lines):
Found: 5 bugs
Null pointer crash, XSS vulnerability, state mutation bugs, missing dependencies
Time: ~5 seconds
Utility functions:
Found: 4 security flaws
Weak password hashing, insecure tokens, insufficient sanitization
Time: ~4 seconds
Example Review
Your code:
function auth(user, pass) {
if (user === "admin" && pass === "12345") {
return true;
}
return false;
}Codex review:
- High: auth hard-codes "admin" and "12345" (auth.js:2). Anyone with
source access gains full access, credentials can't be rotated without
redeploying, and password is stored in clear text.
- High: Plain string comparison leaks timing information (auth.js:2).
An attacker can measure response times to infer correct characters;
use constant-time comparison.
- Medium: No hashing or KDF applied to password before comparison.
Even if you moved the secret out of source control, you'd still want
to hash user-supplied passwords.
Next steps: Replace hardcoded credential with configurable secret store,
hash/verify using a KDF, add constant-time compare helper.Claude's synthesis:
Both reviewers identified critical security issues. The hardcoded credentials and timing attacks need immediate attention. I also notice there's no rate limiting or audit logging. Let me help you fix these...
Features
✅ Senior-level reviews - Catches security, bugs, performance issues ✅ Multiple perspectives - Get Codex + Gemini + Claude's analysis ✅ Auto-detection - Works with whichever CLIs you have installed ✅ Smart validation - Filters out code rewrites and unhelpful responses ✅ Fast - ~5 seconds per 100 lines of code ✅ Comprehensive - Reviews snippets, files, or entire directories ✅ Prioritized - Issues marked as Critical/High/Medium/Low
Available Tools
Tool | Use Case |
| Check which review CLIs are installed |
| Review a code snippet directly |
| Review a specific file |
| Review all code files in a directory |
You don't need to remember these - Claude calls them automatically when you ask for reviews.
Supported Languages
.js .ts .jsx .tsx .py .rb .go .java .c .cpp .cs .php .swift .kt .rs
How It Works
You write code and ask Claude for a review
MCP server detects which CLIs are available (Codex/Gemini)
Sends your code with a simple prompt: "You are a senior software engineer. Code review the changes and implementation. Don't change anything, just review."
Reviewers analyze in parallel (5-minute timeout each)
Validation filters out invalid responses (code rewrites, errors, off-topic)
Claude receives feedback and adds its own expert analysis
You get comprehensive results with multiple AI perspectives
Troubleshooting
"No review CLIs available"
Run
"Check CLI status"in Claude CodeInstall at least one:
codex,openai, orgeminiCLI
Reviews timing out
5-minute timeout should be plenty
Check internet connection and API keys
API keys not working
# Note: API keys not needed if you're logged in with:
# - ChatGPT subscription (for OpenAI CLI)
# - Google account (for Gemini CLI)
# If you need to set API keys manually:
# Check if keys are set
echo $OPENAI_API_KEY
echo $GOOGLE_API_KEY
# Add to ~/.bashrc or ~/.zshrc
export OPENAI_API_KEY="sk-..."
export GOOGLE_API_KEY="..."Performance
Based on real testing:
Speed: ~5 seconds per 100 lines
Accuracy: Zero false positives in testing
Coverage: Finds security, bugs, performance, design issues
Cost: ~$0.10 per review at GPT-4 rates
Tokens: ~3,000 per 100-line file
Architecture
You write code
↓
Claude Code asks for review
↓
Review MCP Server
├─→ Detects available CLIs
├─→ Sends code to Codex/Gemini (parallel)
├─→ Validates responses
└─→ Returns formatted feedback
↓
Claude analyzes and synthesizes
↓
You get expert recommendationsDevelopment
npm run watch # Auto-rebuild on changesLicense
MIT
Contributing
Issues and PRs welcome at https://github.com/je4550/review-mcp