Cynical Sally
Cynical Sally is a brutally honest code review assistant offering AI-powered analysis, feedback, and suggestions across development and content tasks.
sally_roast(Code Review): Get a 0–10 scored review with identified issues and actionable fixes. Supportsquickorfull_truth(deep dive) modes, file/directory paths or inline code, multiple tones (cynical,neutral,professional), and apreviewdry-run mode to verify what would be sent before sending.sally_explain(Code Explanation): Explains what a piece of code does in plain English — useful for undocumented or inherited code.sally_review_pr(PR Review): Submit a unified diff and get a senior-engineer-style review with concrete findings and a verdict.sally_refactor(Refactoring): Proposes before/after refactoring suggestions with explanations of why the original code is problematic.sally_brainstorm(Idea/Architecture Review): Pitch an idea or architectural approach and receive critical feedback on risks and failure points at scale.sally_frontend(Frontend/UI Review): Specialized critique for HTML, CSS, JSX/TSX, Vue, Svelte, etc., covering re-renders, accessibility, z-index issues, and component design.sally_marketing(Marketing Copy Review): Critique and before/after rewrites for taglines, landing pages, product descriptions, and brand messaging.sally_usage(Quota & Account Status): Check your plan tier, remaining roast quota, per-tool trial status, and linked account email.
Key properties: All tools are read-only and never modify files. Secret files (.env, keys, certs) are skipped automatically. Code is never stored, logged, or used for training. Multi-language support via ISO 639-1 codes. Free tier includes 90 quick roasts/month; premium tools include 1 free trial/month.
Provides the same set of MCP tools for code review and analysis within the Windsurf IDE, which is a Codeium product.
Enables CI/CD integration with options to gate pipelines on code quality scores, fail builds below thresholds, and output compact results with exit codes.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Cynical Sallyroast src/utils/auth.ts"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Your AI pair programmer is lying to you. Sally isn't.
She's the senior engineer your code hoped it'd never meet. Scores from 0 to 10, real issues backed by evidence, and fixes you can actually use.
Works as a CLI tool and as an MCP server in Claude Code, Cursor, and Windsurf.
Install
npm install -g @cynicalsally/cliOr run without installing:
npx @cynicalsally/cli roast ./src/Requirements: Node.js 18+
Related MCP server: GitHub Copilot MCP Server
See exactly what leaves your machine
Sending code to a server you don't control deserves more than "trust me." So Sally lets you verify it instead:
sally roast --dry-run ./src/--dry-run collects everything as if it were about to roast — then sends nothing. Instead it prints the exact payload: every file path, byte size, and token estimate; which files were held back and why (.env, keys, certs, binaries, .gitignore matches, size limits); and writes a local SHA-256 receipt to .sally/ so you can verify byte-for-byte what would have been uploaded.
WOULD SEND 3 files · 91 B · ~24 tokens (est.)
src/app.ts 36 B ~9 tok 68a3be428746…
HELD BACK 2 items — kept on your machine
✖ secret (2) — looks like a secret — never leaves your machine
.env
server.keySecret files (.env, SSH keys, certs, credential files) are skipped on your machine before anything is sent — verify it yourself with --dry-run. Only review code you're allowed to upload. Local reports land in .sally/ — add it to your .gitignore:
.sally/See Privacy & Security below for the full data-flow.
Quick Start
# Sally auto-detects what to review
sally roast
# → staged changes? reviews those
# → unstaged changes? reviews those
# → recent commit? reviews that
# → nothing? scans the directory
# Roast a file or directory
sally roast src/utils/auth.ts
sally roast ./src/
# Roast staged changes before you commit
sally roast --staged
# Compare your branch against main
sally roast --diff main
# Deep analysis with issues + actionable fixes
sally roast ./src/ -m full_truth
# Run deep analysis in the background (OS notification when done)
sally roast ./src/ -m full_truth --bg
# See exactly what would be sent — and send nothing
sally roast --dry-run ./src/
# Get a shareable roast card (saved to .sally/)
sally roast ./src/ --card
# Publish a share link — only the score + sneer go public, never your code
sally roast ./src/ --shareRoast Options
sally roast [paths...] [options]
--staged Review only staged git changes
--diff <branch> Compare against another branch (e.g., main)
-m, --mode <mode> "quick" (default) or "full_truth" (deep dive)
--tone <tone> "cynical" (default), "neutral", or "professional"
--lang <lang> Response language code (default: "en")
--json Output raw JSON (for piping or scripting)
--fail-under <score> Exit code 1 if quality score is below threshold
--ci CI mode: compact output, exit codes
--bg Run Full Truth in background, get OS notification when done
--dry-run Print the exact payload (files, sizes, tokens, SHA-256) and send NOTHING
--card Print + save a shareable roast card after the review
--share Create a public share link (cynicalsally.com/card/…) — score + sneer only, never codeGet your repo's verdict — and a badge to prove it
Let Sally judge your whole repo and hand you a README badge with the score baked in:
sally verdictShe scores the repo, then prints ready-to-paste badge markdown:
[](https://cynicalsally.com)Score an 8 or higher and the badge is a flex worth wearing. Score lower and, well — it's an honest signal that you're shipping anyway. Either way the badge links back, so every README that wears it does the bragging for you.
Too lazy to copy-paste? Sally will hang it up herself:
sally badge --add # inserts the badge into README.md, right under the title
sally badge # just prints the markdown (and your current score)The badge image updates automatically on every new sally verdict — add it once,
judged forever.
Explain
Sally reads the spaghetti someone left in your codebase and translates it into plain English. Just the cold, clear truth of what it actually does.
sally explain src/utils/auth.ts
# Pipe code directly
cat legacy-module.js | sally explain
# Explain the current directory
sally explainRefactor
Before and after, side by side. Sally explains why one of them is going to haunt your 3am on-call rotation.
sally refactor src/components/Dashboard.tsx
# Refactor current directory
sally refactorPR Review
Sally reviews your PR like a senior engineer who has time, opinions, and absolutely no reason to be polite.
# Review PR #42 (requires GitHub CLI)
sally review-pr 42
# Review current branch vs main
sally review-pr
# Pipe a diff
git diff main | sally review-prBrainstorm
Pitch your architecture idea and Sally tells you the three ways it falls apart at scale. Cheaper than a post-mortem.
sally brainstorm "Microservices for a 2-person team?"
# Brainstorm about the current project
sally brainstormFrontend Review
Sally tells you why your component re-renders on every keystroke and why your z-index is load-bearing.
sally frontend src/components/Header.tsx
# Review all frontend code in a directory
sally frontend ./src/Marketing Review
Run your copy by Sally before your customers do. They won't be this constructive about it.
sally marketing "Ship faster with AI-powered code reviews"
# Review your README and landing page copy
sally marketing README.mdEvery tool accepts file paths, raw text, or piped stdin. Each includes 1 free trial, no account needed.
CI/CD Integration
Gate your pipeline on code quality:
# GitHub Actions
- name: Sally Code Review
run: npx @cynicalsally/cli roast ./src/ --fail-under=5 --ci--ci gives compact output with exit codes. --fail-under fails the build when the score drops below your threshold. Add --json for machine-readable output.
MCP Server
Sally works as an MCP server inside Claude Code, Cursor, and Windsurf.
Claude Code
claude mcp add cynical-sally -- npx @cynicalsally/cli mcpCursor
One click:
Or add to ~/.cursor/mcp.json (global) or .cursor/mcp.json (per project):
{
"mcpServers": {
"cynical-sally": {
"command": "npx",
"args": ["@cynicalsally/cli", "mcp"]
}
}
}Windsurf
Add to ~/.codeium/windsurf/mcp_config.json:
{
"mcpServers": {
"cynical-sally": {
"command": "npx",
"args": ["@cynicalsally/cli", "mcp"]
}
}
}Available tools
MCP Tool | What it does |
| Code review with score, issues, and fixes |
| Explain code with Sally's personality |
| Review PR diffs |
| Refactoring suggestions with before/after |
| Feedback on ideas and approaches |
| Frontend/UI code review |
| Marketing copy review |
| Check quota and account status |
Roast by path — the agent can call sally_roast with just paths (files or directories); Sally reads them locally and skips binaries and secret files, so the agent doesn't have to read and pass content itself.
Prompts — Sally also exposes ready-made slash-command intents (roast, review-pr, explain) in clients that surface MCP prompts.
Run sally mcp in your terminal to see setup instructions.
All Commands
Command | Description |
| Review files, directories, or git changes |
| Score your repo + get a README badge |
| Print your badge markdown, or add it to README.md |
| Explain what code actually does |
| Refactoring with before/after code |
| Review a PR diff |
| Feedback on ideas and approaches |
| Frontend/UI code review |
| Marketing copy review |
| Log in via magic link |
| Clear stored session |
| Check your quota and account status |
| Upgrade to Sally's Full Suite |
| View background review results |
| MCP server setup instructions |
Free to Use
90 free roasts per month, no account needed. Every premium tool includes a free trial.
sally usage # Check your quota
sally upgrade # Unlock the Full SuitePrivacy & Security
Your code is yours. Don't take our word for it — run sally roast --dry-run and see the exact payload before anything is sent. Here's what happens to it:
Verify before you send.
--dry-runprints every file, size, token estimate, and a SHA-256 receipt of exactly what would be uploaded — and sends nothing. The MCPsally_roasttool has the samepreviewmode.Sent only to be reviewed. The files you choose are transmitted over HTTPS and processed in real-time to generate the review — that's the only reason they leave your machine.
Never written to disk, logs, or analytics. Your source code is processed in memory and discarded after analysis. It is never persisted to a database, never written to application logs or error traces, and never sent to any third-party APM or analytics. We keep the review (score, issues), not your source.
Never trained on, sold, or shared. Analysis runs through Anthropic's API, which doesn't train on submitted content.
Only what you point at. Sally doesn't browse your repo, read files you didn't give her, or scan your projects or plans. Secret files (
.env, keys, certs, credential files) are skipped on your machine before anything is sent — and--dry-runshows you exactly which ones.Sharing is opt-in, and never includes code. Nothing is ever published unless you pass
--share— and even then the public card contains only the score and Sally's one-liner.Anonymous by default. Reviews are tied to a random device ID, not your identity — until you link an email for Full Suite. Config stored locally at
~/.sally/config.json.Signed releases. npm packages are published with provenance — a cryptographic, public attestation linking each release to the exact source commit and CI build that produced it.
Full engineering detail — data-flow diagram, what's retained, subprocessors, and log policy — is in docs/PRIVACY.md. User-facing summary: cynicalsally.com/privacy.
Contributing
Found a bug or have a feature idea? Open an issue. Sally promises to only judge your issue title a little.
License
Maintenance
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/w1ckedxt/cynical-sally'
If you have feedback or need assistance with the MCP directory API, please join our Discord server