pr-review
Reviews code changes before merging. Use when reviewing PRs, checking staged changes, reviewing diffs, code review, merge readiness check, or validating changes before commit/push.
Best use case
pr-review is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Reviews code changes before merging. Use when reviewing PRs, checking staged changes, reviewing diffs, code review, merge readiness check, or validating changes before commit/push.
Teams using pr-review should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/pr-review/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How pr-review Compares
| Feature / Agent | pr-review | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Reviews code changes before merging. Use when reviewing PRs, checking staged changes, reviewing diffs, code review, merge readiness check, or validating changes before commit/push.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
SKILL.md Source
# PR Review Skill Reviews code changes with focus on quality, security, and consistency. ## Default Assumption: Public Repository Unless explicitly stated otherwise, assume the repository is **publicly available**. This means: - Any secret, credential, or API key pushed is considered compromised - Internal URLs, IPs, hostnames should not be exposed - Comments with sensitive internal context should be flagged - Error messages should not leak internal architecture - Be extra cautious with .env files, config files, CI/CD configs ## Phase 1: Determine Scope **STOP. Use AskUserQuestion before anything else.** Ask user to choose review scope: - Staged files only - Unstaged changes (working directory) - All uncommitted (staged + unstaged) - Current branch vs main (PR-style) - Specific commit or range - Other (specify) **Do NOT run any git commands or tools until user responds.** After selection, get the diff: - Staged: `git diff --cached` - Unstaged: `git diff` - All uncommitted: `git diff HEAD` - Branch vs main: `git diff main...HEAD` - Commit: `git show <hash>` - Range: `git diff <from>..<to>` Also get changed files list: `git diff --name-only <appropriate args>` ## Phase 2: Understand the Problem **STOP. Use AskUserQuestion to confirm before proceeding.** Infer intent from: 1. Branch name: `git branch --show-current` 2. Commit messages: `git log main..HEAD --oneline` (or relevant range) Then use AskUserQuestion to confirm: > "Based on branch `feature/xyz` and commits, this PR appears to [inferred description]. Is this correct?" > - Yes, proceed > - No, let me explain **Do NOT proceed until user confirms.** ## Phase 3: Auto-Detect Stack Check for presence of: - `package.json` / `yarn.lock` → Node.js - `requirements.txt` / `pyproject.toml` → Python - `go.mod` → Go - `Cargo.toml` → Rust - `Dockerfile` → Docker - `*.tf` → Terraform - `*.yaml` in k8s patterns → Kubernetes - `.github/workflows/` → GitHub Actions Note detected stack for context-aware analysis. ## Phase 4: Run Scanners Execute relevant scanners (skip silently if not installed): **Always run:** | Tool | Command | |------|---------| | gitleaks | `gitleaks detect --source . --verbose --no-git` | | trufflehog | `trufflehog filesystem . --only-verified` | **Stack-specific:** | Stack | Tool | Command | |-------|------|---------| | Node.js | npm audit | `npm audit --json` | | Node.js | yarn audit | `yarn audit --json` | | Python | pip-audit | `pip-audit` | | Python | safety | `safety check` | | Docker | trivy | `trivy fs .` | | Docker | hadolint | `hadolint Dockerfile` | | Terraform | tfsec | `tfsec .` | | Terraform | checkov | `checkov -d .` | | Terraform | trivy | `trivy config .` | | K8s | trivy | `trivy config .` | | Shell scripts | shellcheck | `shellcheck <file>` | ## Phase 5: Code Review Analyze the diff for all categories. Be pragmatic—flag likely issues, skip obvious false positives. ### 5.1 Code Quality - Best practices for detected stack - Readability and maintainability - Error handling appropriateness - Test coverage (if tests exist) - Idiomatic patterns - Type safety issues ### 5.2 Codebase Consistency - Match existing patterns in the repo - Naming conventions alignment - File organization consistency - Don't introduce a 10th way of doing something ### 5.3 Security **Manual checks:** - Hardcoded secrets, API keys, passwords, connection strings - SQL injection, XSS, command injection vectors - Path traversal risks - Auth/authz bypasses - Insecure defaults (http vs https, weak crypto) - Sensitive data in logs/errors/URLs - Container: running as root, privileged mode, unverified base images ### 5.4 Bug Detection - Logic errors, off-by-one - Null/undefined handling - Race conditions - Resource leaks (unclosed handles, connections) - Breaking changes to existing APIs ### 5.5 Dependencies - Known vulnerable package versions - Outdated dependencies with security patches - Unpinned versions - Suspicious or typosquatted package names ### 5.6 Performance - N+1 query patterns - Sync operations in async contexts - Unbounded loops/recursion - Memory leaks - Missing pagination - Blocking I/O in hot paths ### 5.7 Deprecations & Drift - Deprecated APIs, functions, patterns - Breaking changes in dependencies - Hardcoded values that should be variables - Environment-specific configs in shared code - Configuration diverging from IaC patterns ## Phase 6: Report Output a succinct markdown report: ```markdown ## PR Review: [brief title] **Problem:** [1-2 sentences on what this PR solves] **Scope:** [staged/branch/commits reviewed] **Stack:** [detected tech stack] ### Scanner Results | Tool | Result | |------|--------| | gitleaks | [clean/N findings] | | ... | ... | ### Findings #### CRITICAL - `file:line` - [issue with brief context] #### HIGH - `file:line` - [issue] #### MEDIUM - `file:line` - [issue] #### LOW - `file:line` - [issue] ### Summary - Critical: X | High: X | Medium: X | Low: X ### Review Score: X/20 [One sentence justification] ### Action Required | Priority | Item | |----------|------| | blocker | ... | | should fix | ... | | consider | ... | ``` ## Rating Scale | Score | Meaning | Action | |-------|---------|--------| | 0-10 | Blocker issues | Reject, needs significant rework | | 11-15 | Acceptable | Merge after addressing fixes | | 16-17 | Good | Ready to merge, suggestions optional | | 18-20 | Excellent | Merge immediately | ## Style Guidelines Keep findings concise but contextual: - Bad: "should use https here" - Good: "http exposes data in transit, use https" - Bad: "fix this null check" - Good: "`user.email` accessed without null check - crashes if user not found" Don't write a 50-page report. Focus on what matters.
Related Skills
workflow-review
Reviews Claude Code sessions and proposes workflow improvements. Use when: (1) /workflow-review command, (2) "review my workflow", "how can I improve", (3) after long sessions when nudged, (4) start of session with pending review. Analyzes tool usage patterns, CLAUDE.md configuration, and compares against CC best practices. Proposes: CLAUDE.md updates, new skills, underused CC features. Saves session summaries to .claude/workflow-reviews/ for cross-session continuity.
voice-mode
Activates voice conversation mode using Pocket TTS Docker container. Use when user says "voice mode", "let's talk", "talk to me", "speak your responses", or wants Claude to respond with spoken audio. Speaks all responses through TTS and plays via speakers.
test-quality
Guides strong, effective unit test generation using proven testing techniques. Use when writing unit tests, reviewing test quality, improving existing tests, generating test cases, checking test coverage strength, or when tests exist but may be weak. Triggers on: unit test, test quality, test coverage, write tests, improve tests, review tests, test strength, mutation testing, boundary testing.
latex-presentation
Creates impressive LaTeX Beamer presentations with modern design. Generates .tex files with theme selection, font pairing, TikZ diagrams, overlays, and best practices. Use for LaTeX slides, Beamer presentations, scaffolding decks, slide design advice, or TikZ diagram generation.
git-commit
Plans and executes git commits with optional TICKET_ID prefix. Analyzes staged changes, proposes optimal commit structure (single or multiple), generates descriptive messages with technical context, and executes after user approval. Use when committing code changes, creating atomic commits, or splitting large changesets.
ctask
Manages tasks using the ctask CLI wrapper over a local SQLite database. Use when tracking work items, creating tasks, managing dependencies, adding comments, labeling, or reviewing task status. Triggers on task tracking, ticket management, work planning, backlog management.
codex
AI peer review via OpenAI Codex CLI. Use when reviewing code changes, validating technical decisions, comparing implementation approaches, or getting a second opinion on architecture choices. Triggers on /codex, /codex-review, or auto-triggers when presenting significant alternatives to user.
codemap
Generate navigational codebase maps with architecture diagrams. Use when mapping a codebase, creating architecture docs, visualizing project structure, generating infrastructure diagrams, understanding repo layout, or onboarding to a new project.
clarice
Conducts realistic mock interviews with detailed feedback and scoring. Use for interview prep, behavioral questions, technical interviews, STAR practice, system design interviews, or interview coaching.
c7
Fetches up-to-date library documentation from Context7 and saves to /tmp/context7/. Use when needing current API docs, code examples, library references, SDK documentation, or checking latest library versions. Triggers: context7, c7, library docs, fetch docs, current documentation, api reference.
caveman-review
Ultra-compressed code review comments. Cuts noise from PR feedback while preserving the actionable signal. Each comment is one line: location, problem, fix. Use when user says "review this PR", "code review", "review the diff", "/review", or invokes /caveman-review. Auto-triggers when reviewing pull requests.
review-skill
Review and improve AI agent skills (SKILL.md files) against best practices from the Agent Skills specification and Anthropic's authoring guidelines. Scores skills on 10 quality dimensions, identifies specific issues, and rewrites problem areas. Use when creating, editing, auditing, or improving agent skills. Triggers on: review skill, improve skill, audit SKILL.md, check skill quality, skill best practices, optimize skill description.