Claude Code reviews PRs if you ask, but the output is shallow — one pass, surface-level findings, generic test advice. It misses the systematic coverage a disciplined reviewer provides.
I built Deep PR Review — a Claude Code skill (a single markdown file) that forces 5 sequential review passes:
The 5 Passes
1. Correctness
Logic errors, edge cases, race conditions, type safety issues.
2. Security (OWASP-aligned)
Injection flaws, auth/authz gaps, data exposure, XSS.
3. Performance
N+1 queries, missing indexes, unbounded operations, full table scans.
4. Maintainability
Complexity, dead code, naming consistency, pattern violations.
5. Test Coverage
Specific missing test scenarios — not generic "add tests" advice.
What You Get
Every finding includes:
- Severity (critical / high / medium / low)
- Exact file + line number
- What is wrong
- How to fix it
Output is a structured verdict: APPROVE, REQUEST_CHANGES, or NEEDS_DISCUSSION.
Real Example
A 45-line Express endpoint that passed a standard "review this" prompt had 7 actionable findings when run through Deep PR Review:
- SQL injection via string interpolation in the query
- No auth middleware (any user could search)
-
LIKE %query%causing full table scans - No input validation on the
limitparameter - Missing rate limiting
- No error handling for database failures
- Zero test coverage
Why It Works
The insight is simple: Claude already knows how to check for all of this. Without structure, it optimizes for a fast, helpful response. With the skill protocol, it is forced to do 5 complete passes and cannot skip the uncomfortable findings.
Install
cp deep-pr-review.md .claude/skills/
That is it. One file. Works with any language.
Get It
$19 on Polar: Deep PR Review
MIT-licensed. You are paying for the structured protocol, the ready-to-use package, and the examples.
Happy to answer questions or discuss the approach in the comments.
Top comments (0)