I Built a Claude Code Skill That Catches Bugs Before You Merge Them
I kept hitting the same pattern: ask Claude Code to review my PR, it says "looks clean, maybe add some tests," I merge. Then something breaks.
The problem isn't Claude — it's that a single unstructured pass isn't how good code review works. Senior engineers check correctness, then security, then performance, then tests — each as a separate focused pass.
Deep PR Review — 5 Structured Passes
Deep PR Review is a Claude Code skill (one markdown file) that runs 5 structured review passes:
- Correctness — Logic errors, edge cases, race conditions, type safety
- Security — SQL injection, XSS, missing auth, data exposure (OWASP-aligned)
- Performance — N+1 queries, unbounded operations, missing indexes
- Maintainability — Dead code, complexity, naming consistency
- Test Coverage — Specific missing test scenarios (not generic "add tests")
Every finding gets severity + file:line + concrete fix. Output is a structured verdict: APPROVE / REQUEST_CHANGES / NEEDS_DISCUSSION.
Real Bugs Caught
In a 45-line Express endpoint that passed a quick review:
- SQL injection via string interpolation
- No auth middleware — any user can search
- LIKE '%query%' = full table scan on every request
- No input validation on limit parameter
- Zero test coverage
Install in 30 Seconds
mkdir -p .claude/skills
cp deep-pr-review.md .claude/skills/
That's it. Works with any language.
$19 on Polar: https://buy.polar.sh/polar_cl_KzwbRqVqMgarD3NrOc00TYmKB3vwAJjKDq5be2HB7ym?utm_source=devto&utm_medium=post&utm_campaign=launch
Landing page: https://dpr.atlas1m.com
