PR Review Expert
Blast radius analysis, security scan, and coverage delta for PRs.
Install for
Real Conversations
See how the PR Review Expert skill responds to actual requests. These are representative examples of what your AI agent will produce.
Review PR #847 — it adds a new POST /api/payments/refund endpoint. 312 lines changed across 8 files. The diff touches src/routes/payments.ts, src/services/refund.service.ts, src/db/transactions.model.ts, and 5 test files.
PR Review: Add refund endpoint (#847)
Blast Radius: HIGH — transactions.model.ts is imported by 7 other services
Security: 2 findings (1 critical, 1 medium)
Tests: Coverage delta +4% — new endpoint has tests
Breaking Changes: None detected
MUST FIX (Blocking)
[CRITICAL] Missing authorization check on refund endpoint
grep -n "middleware\|authorize\|requireRole" src/routes/payments.ts
# Line 23: router.post('/refund', refundController.create) — no auth middleware
The create charge endpoint at line 8 has requireRole('admin') — this refund endpoint is missing it entirely. Any authenticated user could issue a refund.
Fix:
router.post('/refund', requireRole('admin'), refundController.create)
[CRITICAL] Refund amount not validated against original charge
src/services/refund.service.ts:67 — amount comes directly from request body with no check that amount <= originalCharge.amount. A malicious request with amount: 99999 would attempt to refund more than was charged.
SHOULD FIX (Non-blocking)
[MEDIUM] DB migration adds NOT NULL column without default
src/db/migrations/20260309_add_refund_reason.sql adds reason TEXT NOT NULL — this will fail on existing rows. Add DEFAULT '' or make it nullable.
[MEDIUM] Refund service doesn't handle idempotency
No idempotency key check — submitting the same refund request twice will create two refunds. Add idempotency_key uniqueness check.
LOOKS GOOD
- 5 test files cover happy path and Stripe API failure cases
- Structured error responses consistent with rest of codebase
- DB transaction wraps the refund + ledger entry atomically
Get Started
How to install and use this skill in your preferred environment.
Skills are designed for AI coding agents (Claude Code, Cursor, Windsurf) and IDE-based workflows where the agent can read files, run scripts, and act on your codebase.
Models & Context
Which AI models and context windows work best with this skill.
Recommended Models
Larger models produce more detailed, production-ready outputs.
Context Window
This skill's SKILL.md is typically 3–10 KB — fits in any modern context window.
All current frontier models support 100K+ context.
Pro tips for best results
Be specific
Include numbers — users, budget, RPS — so the skill can size the architecture.
Share constraints
Compliance needs, team size, and existing stack all improve the output.
Iterate
Start with a high-level design, then ask follow-ups for IaC, cost analysis, or security review.
Combine skills
Pair with companion skills below for end-to-end coverage.
Ready to try PR Review Expert?
Install the skill and start getting expert-level guidance in your workflow — any agent, any IDE.
Install for