with one click
review-pr
Perform a comprehensive code review of a pull request
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Menu
Perform a comprehensive code review of a pull request
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Based on SOC occupation classification
Clean up stale git worktrees with merged branch detection and disk usage report
Safely remove a git worktree with branch cleanup and safety checks
Create isolated git worktrees for feature development without switching branches
Check status of background verification tasks running in a git worktree
Display native sandbox status, configuration, and recent violations
Interactive coach that asks 4-5 questions to determine whether you need an agent, command, skill, hook, or rule, then generates a ready-to-use template. Usage: /scaffold (no arguments needed, starts the coaching session)
| name | review-pr |
| description | Perform a comprehensive code review of a pull request |
| argument-hint | [PR_number|URL] |
| effort | high |
| disable-model-invocation | true |
Perform a comprehensive code review of a pull request.
gh pr view $ARGUMENTS --json title,body,files,additions,deletions## PR Review: #[number] - [title]
### Summary
[1-2 sentence overview]
### Approval Status
[ ] Approved
[ ] Approved with suggestions
[ ] Changes requested
### Findings
#### Critical (Must Fix)
- [ ] [Issue description] - `file:line`
#### Suggestions (Should Consider)
- [ ] [Improvement] - `file:line`
#### Nitpicks (Optional)
- [ ] [Minor suggestion] - `file:line`
### Positive Highlights
- [What's done well]
### Questions
- [Clarifications needed]
/review-pr 123
/review-pr https://github.com/owner/repo/pull/123
For production-grade reviews requiring specialized perspectives and anti-hallucination safeguards.
Before reviewing, check if this is a follow-up pass to avoid repeating suggestions:
# Detect if Claude already reviewed this PR
git log --oneline -10 | grep "Co-Authored-By: Claude"
If detected, note: "This appears to be a follow-up pass. I'll focus on new issues and avoid repeating previous suggestions."
Cross-reference the PR diff against the original plan to catch unintended changes.
# Detect current branch
BRANCH=$(git branch --show-current)
# Search for a plan file associated with this branch
ls ~/.claude/plans/ 2>/dev/null | grep -i "$BRANCH" | head -3
# Files actually changed in this PR
git diff --stat origin/main...HEAD | head -30
If a plan file exists for this branch:
git diff --statOutput format:
SCOPE DRIFT CHECK
─────────────────────────────────────────
Plan scope: [what the plan said would change]
Actual diff: [files actually changed]
Drift: [files changed outside plan scope, if any]
Verdict: IN SCOPE / DRIFT DETECTED
If no plan file exists: note "No plan file found for this branch, skipping scope drift check."
Launch 3 parallel specialized agents (see Split Role Sub-Agents):
Agent 1: Consistency Auditor
Focus: DRY violations, duplicate logic, pattern inconsistencies
Check for:
- Duplicated code blocks (>5 lines similar)
- Inconsistent naming conventions
- Pattern violations (if project uses X pattern, enforce it)
Agent 2: SOLID Principles Analyst
Focus: Single Responsibility Principle violations, complexity
Check for:
- Functions >50 lines (likely doing too much)
- Nested conditionals >3 levels deep
- Cyclomatic complexity >10
- Mixed concerns in single component
Agent 3: Defensive Code Auditor
Focus: Silent failures, masked bugs, hidden fallbacks, LLM output trust boundary
Check for:
- Empty catch blocks: try { } catch (e) { } // swallows error
- Silent fallbacks: return data || DEFAULT // hides missing data
- Unchecked null/undefined: user.name without validation
- Ignored promise rejections: async fn without .catch()
LLM Output Trust Boundary (especially relevant in AI-assisted codebases):
- LLM-generated values (emails, URLs, names, IDs) written to DB or passed to
downstream functions without format validation; add lightweight guards
(email regex, URL parsing, .trim()) before persisting
- Structured tool output (arrays, objects from AI tools) accepted without
type/shape checks before database writes or rendering
- AI-generated SQL or code strings executed without sanitization
Verify before asserting:
Grep or Glob to verify patterns before recommending themOccurrence rule:
Uncertainty markers:
After agents report findings:
🔴 Must Fix (Blockers)
- Security vulnerabilities
- Data loss risks
- Breaking changes without migration
- Silent failures masking bugs
🟡 Should Fix (Improvements)
- SOLID violations causing maintenance issues
- DRY violations (>3 duplicates)
- Performance bottlenecks (N+1 queries)
- Missing error handling for critical paths
🟢 Can Skip (Nice-to-haves)
- Style inconsistencies (if no linter)
- Minor naming improvements
- Overly nested code (if <3 levels)
- Documentation gaps (if code self-documenting)
Determine whether to auto-fix each finding or surface it for user decision.
AUTO-FIX (apply without asking): ASK (needs human judgment):
├─ Dead code / unused variables ├─ Security changes (auth, XSS, injection)
├─ N+1 queries (missing eager loading) ├─ Race conditions
├─ Stale comments contradicting code ├─ Design decisions
├─ Magic numbers → named constants ├─ Large fixes (>20 lines changed)
├─ Missing import / path mismatches ├─ Enum completeness
├─ Variables assigned but never read ├─ Anything removing functionality
└─ Obvious version/doc mismatches └─ User-visible behavior changes
Rule: If a senior engineer would apply the fix in 30 seconds without discussion, it's AUTO-FIX. If reasonable engineers could disagree, it's ASK.
After agents report findings:
For automated convergence:
Review → Identify issues → Fix → Re-review → Repeat until minimal changes
Safeguards:
- Max 3 iterations to prevent infinite loops
- Run tsc/lint check before each iteration
- Skip auto-fix for protected files (package.json, migrations, etc.)
Example prompt:
Review this PR with auto-fix enabled:
1. Review using 3 agents above
2. Fix all 🔴 Must Fix issues
3. Re-review to verify fixes
4. Repeat for 🟡 Should Fix (max 2 more iterations)
5. Stop when only 🟢 Can Skip remain
Load additional context based on diff content (stack-agnostic):
| If diff contains... | Then check... |
|---|---|
| Database queries | Indexes, N+1 patterns, query optimization |
| API endpoints | Auth middleware, input validation, rate limiting |
| Authentication logic | Password hashing, session management, CSRF tokens |
| File uploads | Size limits, MIME validation, storage security |
| Date/time operations | Timezone handling, DST edge cases |
| External API calls | Timeout configs, retry logic, error handling |
| Environment variables | Presence in .env.example, validation at startup |
SE-CoVe Plugin: Use for general fact-checking of review claims (complementary to anti-hallucination rules above)
Worktrunk: For codebase-wide pattern analysis before suggesting changes
AST-grep: For structural pattern matching (e.g., find all similar try/catch blocks)
$ARGUMENTS