Claude-Skills pr-review-expert

install

source · Clone the upstream repo

git clone https://github.com/borghei/Claude-Skills

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/borghei/Claude-Skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/engineering/pr-review-expert" ~/.claude/skills/borghei-claude-skills-pr-review-expert && rm -rf "$T"

manifest: engineering/pr-review-expert/SKILL.md

source content

PR Review Expert

Tier: POWERFUL Category: Engineering / Quality Assurance Maintainer: Claude Skills Team

Overview

Structured, systematic code review for GitHub PRs and GitLab MRs. Goes beyond style nits to perform blast radius analysis, security vulnerability scanning, breaking change detection, test coverage delta calculation, and performance impact assessment. Produces reviewer-ready reports with prioritized findings categorized as must-fix, should-fix, and suggestions.

Keywords

PR review, code review, pull request, merge request, blast radius, security scan, breaking changes, test coverage, review checklist, code quality

Core Capabilities

1. Blast Radius Analysis

Trace which files, services, and downstream consumers could break
Identify shared libraries, types, and API contracts in the diff
Map cross-service dependencies in monorepos
Quantify impact severity (CRITICAL / HIGH / MEDIUM / LOW)

2. Security Scanning

SQL injection via string interpolation
XSS vectors (innerHTML, dangerouslySetInnerHTML)
Hardcoded secrets and credentials
Auth bypass patterns
Insecure cryptographic functions
Path traversal risks
Prototype pollution

3. Breaking Change Detection

API endpoint removals or renames
Response schema modifications
Required field additions
Database column removals
Environment variable changes
TypeScript interface modifications

4. Test Coverage Analysis

New code vs new test ratio
Missing tests for new public functions
Deleted tests without deleted code
Coverage delta calculation

5. Performance Assessment

N+1 query pattern detection
Bundle size regression indicators
Unbounded queries without LIMIT
Missing database indexes for new query patterns

When to Use

Before merging any PR that touches shared libraries, APIs, or database schemas
When a PR is large (>200 lines changed) and needs structured review
For PRs in security-sensitive code paths (auth, payments, PII handling)
After an incident to proactively review similar code changes
For onboarding new contributors whose PRs need thorough feedback

Review Workflow

Step 1: Gather Context

PR=123

# PR metadata
gh pr view $PR --json title,body,labels,milestone,assignees | jq .

# Files changed
gh pr diff $PR --name-only

# Full diff for analysis
gh pr diff $PR > /tmp/pr-$PR.diff

# CI status
gh pr checks $PR

Step 2: Blast Radius Analysis

For each changed file, determine its impact scope:

DIFF_FILES=$(gh pr diff $PR --name-only)

# Find all files that import changed modules
for file in $DIFF_FILES; do
  module=$(basename "$file" .ts | sed 's/\..*$//')
  echo "=== Dependents of $file ==="
  grep -rl "from.*$module\|import.*$module\|require.*$module" src/ --include="*.ts" --include="*.tsx" -l 2>/dev/null
done

# Check if changes span multiple services (monorepo)
echo "$DIFF_FILES" | cut -d/ -f1-2 | sort -u

# Identify shared contracts
echo "$DIFF_FILES" | grep -E "types/|interfaces/|schemas/|models/|shared/"

Blast Radius Severity:

Severity	Criteria	Examples
CRITICAL	Shared library used by 5+ consumers	`packages/utils/` , auth middleware, DB schema
HIGH	Cross-service impact, shared config	API contracts, env vars, shared types
MEDIUM	Single service internal change	Service handler, utility function
LOW	Isolated change, no dependents	UI component, test file, documentation

Step 3: Security Scan

DIFF=/tmp/pr-$PR.diff

# SQL injection — raw string interpolation in queries
grep -n "query\|execute\|raw(" $DIFF | grep -E '\$\{|f"|%s|format\(' | grep "^+"

# Hardcoded secrets
grep -nE "(password|secret|api_key|token|private_key)\s*=\s*['\"][^'\"]{8,}" $DIFF | grep "^+"

# AWS keys
grep -nE "AKIA[0-9A-Z]{16}" $DIFF

# XSS vectors
grep -n "dangerouslySetInnerHTML\|innerHTML\s*=" $DIFF | grep "^+"

# Auth bypass indicators
grep -n "bypass\|skip.*auth\|noauth\|TODO.*auth" $DIFF | grep "^+"

# Insecure crypto
grep -nE "md5\(|sha1\(|createHash\(['\"]md5|createHash\(['\"]sha1" $DIFF | grep "^+"

# eval/exec
grep -nE "\beval\(|\bexec\(|\bsubprocess\.call\(" $DIFF | grep "^+"

# Path traversal
grep -nE "path\.join\(.*req\.|readFile\(.*req\." $DIFF | grep "^+"

# Prototype pollution
grep -n "__proto__\|constructor\[" $DIFF | grep "^+"

# Sensitive data in logs
grep -nE "console\.(log|info|warn|error).*password\|console\.(log|info|warn|error).*token\|console\.(log|info|warn|error).*secret" $DIFF | grep "^+"

Step 4: Breaking Change Detection

# API endpoint removals
grep "^-" $DIFF | grep -E "router\.(get|post|put|delete|patch)\(|@app\.(get|post|put|delete)"

# TypeScript interface/type removals
grep "^-" $DIFF | grep -E "^-\s*(export\s+)?(interface|type) "

# Required field additions to existing types
grep "^+" $DIFF | grep -E ":\s*(string|number|boolean)\s*$" | grep -v "?" # non-optional additions

# Database migrations: destructive operations
grep -E "DROP TABLE|DROP COLUMN|ALTER.*NOT NULL|TRUNCATE" $DIFF

# Index removals
grep -E "DROP INDEX|remove_index" $DIFF

# Removed env vars
grep "^-" $DIFF | grep -oE "process\.env\.[A-Z_]+" | sort -u

# New env vars (may not be set in production)
grep "^+" $DIFF | grep -oE "process\.env\.[A-Z_]+" | sort -u

Step 5: Test Coverage Delta

# Count source vs test changes
SRC_FILES=$(gh pr diff $PR --name-only | grep -vE "\.test\.|\.spec\.|__tests__|\.stories\.")
TEST_FILES=$(gh pr diff $PR --name-only | grep -E "\.test\.|\.spec\.|__tests__")

echo "Source files changed: $(echo "$SRC_FILES" | grep -c .)"
echo "Test files changed:   $(echo "$TEST_FILES" | grep -c .)"

# New lines of logic vs test
LOGIC_LINES=$(grep "^+" $DIFF | grep -v "^+++" | grep -v "\.test\.\|\.spec\." | wc -l)
TEST_LINES=$(grep "^+" $DIFF | grep -v "^+++" | grep "\.test\.\|\.spec\." | wc -l)
echo "New logic lines: $LOGIC_LINES"
echo "New test lines:  $TEST_LINES"

Coverage Rules:

New public function without tests: flag as must-fix
Deleted tests without deleted code: flag as must-fix
Coverage drop >5%: block merge
Auth/payments paths: require near-100% coverage

Step 6: Performance Impact

# N+1 patterns: DB calls that might be inside loops
grep -n "\.find\|\.findOne\|\.query\|db\." $DIFF | grep "^+" | head -20

# Heavy new dependencies
grep "^+" $DIFF | grep -E '"[a-z@].*":\s*"[0-9^~]' | head -10

# Unbounded loops
grep -n "while (true\|while(true" $DIFF | grep "^+"

# Missing await (accidentally sequential)
grep -n "await.*await" $DIFF | grep "^+"

# Large allocations
grep -n "new Array([0-9]\{4,\}\|Buffer\.alloc" $DIFF | grep "^+"

Review Report Format

Structure every review using this format:

## PR Review: [PR Title] (#NUMBER)

**Blast Radius:** HIGH — changes `lib/auth` used by 5 services
**Security:** 1 finding (medium severity)
**Tests:** Coverage delta +2% (3 new tests for 5 new functions)
**Breaking Changes:** None detected

---

### MUST FIX (Blocking)

**1. SQL Injection risk in `src/db/users.ts:42`**
Raw string interpolation in WHERE clause.
```diff
- const user = await db.query(`SELECT * FROM users WHERE id = '${userId}'`)
+ const user = await db.query('SELECT * FROM users WHERE id = $1', [userId])

2. Missing auth check on

POST /api/admin/reset

No role verification before destructive operation. Add

requireRole('admin')

middleware.

SHOULD FIX (Non-blocking)

3. N+1 pattern in

src/services/reports.ts:88

findUser()

called inside

results.map()

— batch with

findManyUsers(ids)

4. New env var

FEATURE_FLAG_X

not in
.env.example
Add to

.env.example

with description so other developers know about it.

SUGGESTIONS

5. Consider pagination for

GET /api/projects

Currently returns all projects without limit. Add

?limit=20&offset=0

LOOKS GOOD

Auth flow for new OAuth provider is thorough
DB migration has proper rollback (
```
down()
```
method)
Error handling is consistent with rest of codebase
Test names clearly describe what they verify


## Complete Review Checklist (35 Items)

```markdown
### Scope and Context
- [ ] PR title accurately describes the change
- [ ] PR description explains WHY, not just WHAT
- [ ] Linked ticket exists and matches scope
- [ ] No unrelated changes (scope creep)
- [ ] Breaking changes documented in PR body

### Blast Radius
- [ ] All files importing changed modules identified
- [ ] Cross-service dependencies checked
- [ ] Shared types/interfaces reviewed for breakage
- [ ] New env vars documented in .env.example
- [ ] DB migrations are reversible (have rollback)

### Security
- [ ] No hardcoded secrets or API keys
- [ ] SQL queries use parameterized inputs
- [ ] User inputs validated and sanitized
- [ ] Auth/authorization on all new endpoints
- [ ] No XSS vectors (innerHTML, dangerouslySetInnerHTML)
- [ ] New dependencies checked for known CVEs
- [ ] No sensitive data in logs (PII, tokens, passwords)
- [ ] File uploads validated (type, size, content)
- [ ] CORS configured correctly for new endpoints

### Testing
- [ ] New public functions have unit tests
- [ ] Edge cases covered (empty, null, max values)
- [ ] Error paths tested (not just happy path)
- [ ] Integration tests for API endpoint changes
- [ ] No tests deleted without clear justification
- [ ] Test names describe what they verify

### Breaking Changes
- [ ] No API endpoints removed without deprecation
- [ ] No required fields added to existing responses
- [ ] No DB columns removed without migration plan
- [ ] No env vars removed that may be in production
- [ ] Backward-compatible for external consumers

### Performance
- [ ] No N+1 query patterns introduced
- [ ] DB indexes added for new query patterns
- [ ] No unbounded loops on large datasets
- [ ] No heavy new dependencies without justification
- [ ] Async operations correctly awaited
- [ ] Caching considered for expensive operations

### Code Quality
- [ ] No dead code or unused imports
- [ ] Error handling present (no empty catch blocks)
- [ ] Consistent with existing patterns
- [ ] Complex logic has explanatory comments

Comment Labels

Use consistent labels so authors can quickly prioritize:

Label	Meaning	Action Required
`must:`	Blocking issue	Must fix before merge
`should:`	Important improvement	Should fix, but not blocking
`nit:`	Style/preference	Take it or leave it
`question:`	Need clarification	Respond before merge
`suggestion:`	Alternative approach	Consider, no action needed
`praise:`	Good pattern	No action needed

Common Pitfalls

Reviewing style over substance — let the linter handle formatting; focus on logic, security, correctness
Missing blast radius — a 5-line change in a shared utility can break 20 services
Approving untested happy paths — always check that error paths have coverage
Ignoring migration risk — NOT NULL additions need a default or two-phase migration
Indirect secret exposure — secrets in error messages and logs, not just hardcoded values
Skipping large PRs — if too large to review properly, request it be split
Trickle feedback — batch all comments in one review round; do not drip-feed over hours

Best Practices

Read the linked ticket first — context prevents false positives in the review
Check CI before reviewing — do not review code that fails to build
Prioritize blast radius and security over style — these are where real bugs live
Label every comment —
```
must:
```
,
```
nit:
```
,
```
question:
```
so authors know what matters
Batch all comments in one round — multiple partial reviews frustrate authors
Acknowledge good patterns — specific praise improves code quality culture
Reproduce locally for non-trivial changes — especially auth and performance-sensitive code

Troubleshooting

Problem	Cause	Solution
Blast radius analysis misses dependents	`grep` only searches `src/` by default	Expand search paths to include `packages/` , `libs/` , and monorepo service directories
Security scan produces false positives on test files	Diff includes test fixtures with fake secrets	Filter scan output to exclude `.test.` , `.spec.` , `__tests__/` , and `fixtures/` paths
Breaking change detection flags internal-only types	No distinction between exported and internal interfaces	Check whether flagged types are re-exported from the package entry point before reporting
Test coverage delta shows 0 when tests exist	Test files use non-standard naming conventions	Adjust the `grep -E` pattern in Step 5 to match your project's test file naming (e.g., `.unit.` , `_test.` )
`gh pr diff` returns empty output	PR has no commits yet or branch is not pushed	Verify the PR has at least one commit pushed to the remote with `gh pr view $PR --json commits`
N+1 detection flags ORM eager-loaded queries	Pattern matching cannot distinguish eager vs lazy loading	Cross-reference flagged lines with ORM configuration to confirm whether relations are pre-loaded
Review report is too long for PR comment	PR touches 50+ files across multiple services	Split the review into per-service comments or request the author break the PR into smaller scoped PRs

Success Criteria

Review turnaround time under 30 minutes for PRs with fewer than 500 changed lines
Zero post-merge security findings on PRs that received a full review using this skill
Blast radius severity rating matches actual production impact in 90%+ of cases
All must-fix items are resolved before merge with no exceptions
Test coverage delta is calculated and reported on every reviewed PR
Breaking changes are detected before merge in 95%+ of cases, validated against deployment incidents
Reviewer feedback is batched into a single review round at least 90% of the time

Scope & Limitations

This skill covers:

Structured review of GitHub PRs and GitLab MRs using a 35+ item checklist
Blast radius analysis for monorepo and multi-service architectures
Static security scanning of diffs for common vulnerability patterns (SQLi, XSS, secrets, auth bypass)
Breaking change detection for APIs, database schemas, TypeScript interfaces, and environment variables

This skill does NOT cover:

Automated code fixes or refactoring — use
```
engineering/saas-scaffolder
```
or
```
engineering/migration-architect
```
for code generation
Runtime security analysis, SAST/DAST tool orchestration, or CVE database lookups — use
```
engineering/dependency-auditor
```
for dependency-level vulnerability scanning
CI/CD pipeline configuration or build failure triage — use
```
engineering/ci-cd-pipeline-builder
```
for pipeline design
Performance benchmarking or load testing — use
```
engineering/performance-profiler
```
for profiling and optimization guidance

Integration Points

Skill	Integration	Data Flow
`engineering/dependency-auditor`	Run dependency audit before reviewing PRs that add or upgrade packages	Audit report feeds into the Security section of the review report
`engineering/ci-cd-pipeline-builder`	Embed review checklist gates into CI pipelines as automated PR checks	Checklist items become pass/fail signals in the pipeline
`engineering/performance-profiler`	Escalate N+1 and unbounded query findings for detailed profiling	Flagged code paths from review become profiling targets
`engineering/migration-architect`	Validate database migration safety for PRs that include schema changes	Migration risk assessment supplements the Breaking Changes section
`engineering/release-manager`	Feed breaking change detection results into release notes and changelogs	Detected breaking changes auto-populate release documentation
`engineering/api-design-reviewer`	Cross-reference API endpoint changes with API design standards	API review findings merge into the Blast Radius and Breaking Changes sections