What it does
PR Review Assistant reads your pull request diff end to end and produces a structured review covering four dimensions: correctness bugs, security vulnerabilities, performance concerns, and code style alignment with your existing patterns. For each issue found, it generates a comment that includes the file path, line reference, a clear description of the problem, and a concrete suggested fix — formatted to paste directly into a GitHub review or post via the API.
The security check covers common vulnerability classes including SQL injection risks, unvalidated user input flowing into shell commands, hardcoded credentials, exposed secrets in environment variable handling, unsafe deserialization, and insecure direct object references. The skill is language-agnostic and has been tested with TypeScript, Python, Go, Rust, Ruby, Java, and PHP codebases of varying sizes.
How to install
npx skills add user/pr-review-assistant
After installation the skill is available immediately. No GitHub token configuration is required for local diff review — provide a token only if you want the skill to post comments directly to your repository via the GitHub API.
How to use
Point Claude at your current branch diff or paste in a diff file path:
Review my current branch diff against main for bugs and security issues
The output is a structured review with categorized findings:
## Security — HIGH File: src/api/users.ts · Line 84 User ID from request params is passed directly to a raw SQL query without parameterization. This is a SQL injection vector. Suggested fix: db.query('SELECT * FROM users WHERE id = $1', [req.params.id]) ## Style — LOW File: src/utils/format.ts · Line 12 Function lacks a return type annotation; rest of codebase uses explicit types. Add `: string` to match existing conventions.
Configuration
Control the review scope and output format with inline options:
# Security-only review Review my diff, security issues only, severity HIGH and CRITICAL # Exclude test files Review my diff, skip test files, focus on src/ # GitHub-ready format Review my diff and format output as GitHub review comments JSON
Tip: Run PR Review Assistant as a pre-merge step in your local workflow before pushing. Catching a SQL injection locally takes seconds; catching it post-merge takes days of incident response.
Related skills
Use Smart Git Commit to ensure your commit history is clean before opening a PR. Pair with Code Documentor to auto-document any new functions discovered during the review, and Test Generator to produce test cases for uncovered code paths the reviewer flagged.