Engineering Advanced PR ReviewSecurityCoverage

PR Review Expert

Blast radius analysis, security scan, and coverage delta for PRs.

Install for

Real Conversations

See how the PR Review Expert skill responds to actual requests. These are representative examples of what your AI agent will produce.

You

Review PR #847 — it adds a new POST /api/payments/refund endpoint. 312 lines changed across 8 files. The diff touches src/routes/payments.ts, src/services/refund.service.ts, src/db/transactions.model.ts, and 5 test files.

Agent

PR Review: Add refund endpoint (#847)

Blast Radius: HIGHtransactions.model.ts is imported by 7 other services Security: 2 findings (1 critical, 1 medium) Tests: Coverage delta +4% — new endpoint has tests Breaking Changes: None detected


MUST FIX (Blocking)

[CRITICAL] Missing authorization check on refund endpoint

grep -n "middleware\|authorize\|requireRole" src/routes/payments.ts
# Line 23: router.post('/refund', refundController.create) — no auth middleware

The create charge endpoint at line 8 has requireRole('admin') — this refund endpoint is missing it entirely. Any authenticated user could issue a refund.

Fix:

router.post('/refund', requireRole('admin'), refundController.create)

[CRITICAL] Refund amount not validated against original charge src/services/refund.service.ts:67amount comes directly from request body with no check that amount <= originalCharge.amount. A malicious request with amount: 99999 would attempt to refund more than was charged.


SHOULD FIX (Non-blocking)

[MEDIUM] DB migration adds NOT NULL column without default src/db/migrations/20260309_add_refund_reason.sql adds reason TEXT NOT NULL — this will fail on existing rows. Add DEFAULT '' or make it nullable.

[MEDIUM] Refund service doesn't handle idempotency No idempotency key check — submitting the same refund request twice will create two refunds. Add idempotency_key uniqueness check.


LOOKS GOOD

  • 5 test files cover happy path and Stripe API failure cases
  • Structured error responses consistent with rest of codebase
  • DB transaction wraps the refund + ledger entry atomically

Get Started

How to install and use this skill in your preferred environment.

Skills are designed for AI coding agents (Claude Code, Cursor, Windsurf) and IDE-based workflows where the agent can read files, run scripts, and act on your codebase.

Models & Context

Which AI models and context windows work best with this skill.

Recommended Models

Best
Claude Opus 4.8 Claude Sonnet 4 GPT-4.1 Gemini 2.5 Pro Grok 3 Kimi K2
Good
Claude Haiku 4.5 GPT-4.1 mini Gemini 2.5 Flash Grok 3 mini

Larger models produce more detailed, production-ready outputs.

Context Window

This skill's SKILL.md is typically 3–10 KB — fits in any modern context window.

8K Skill only
32K+ Skill + conversation
100K+ Skill + references + codebase

All current frontier models support 100K+ context.

Pro tips for best results

1

Be specific

Include numbers — users, budget, RPS — so the skill can size the architecture.

2

Share constraints

Compliance needs, team size, and existing stack all improve the output.

3

Iterate

Start with a high-level design, then ask follow-ups for IaC, cost analysis, or security review.

4

Combine skills

Pair with companion skills below for end-to-end coverage.

Ready to try PR Review Expert?

Install the skill and start getting expert-level guidance in your workflow — any agent, any IDE.

Install for

← Browse all skills