Building a PR Reviewer Skill: Multi-Agent Approach

Code review is one of the most valuable yet time-consuming activities in software development. A thorough review requires examining code from multiple perspectives—security, performance, maintainability, correctness—each requiring different expertise. This makes pull request review a perfect candidate for a multi-agent AI skill.

In this tutorial, we will build a comprehensive PR reviewer that coordinates specialized agents to provide thorough, actionable feedback. By the end, you will have a skill that can analyze pull requests from multiple angles and produce a unified, prioritized review.

What We Are Building

Our PR reviewer skill will:

1. Fetch pull request data from GitHub
2. Dispatch to specialized review agents
3. Coordinate security, performance, and quality analysis
4. Aggregate findings into a unified report
5. Post actionable comments on the PR

The final output will look like:

## PR Review Summary

**Overall Assessment:** Approved with suggestions

### Security: PASS (1 note)
- Info: Consider rate limiting the new endpoint

### Performance: PASS (2 suggestions)
- Suggestion: Cache user preferences query
- Suggestion: Use batch operations for bulk updates

### Code Quality: NEEDS WORK (3 issues)
- Issue: Missing error handling in preference validation
- Issue: No tests for edge cases
- Suggestion: Extract validation logic to separate function

### Recommended Actions
1. Add error handling for validation failures
2. Add test cases for null/empty preferences
3. Consider caching for frequently accessed data

Prerequisites

Before we begin, you should have:

• Understanding of pull request workflows
• Familiarity with GitHub CLI (gh)
• Basic knowledge of multi-agent patterns
• Claude Code installed and configured

Part 1: Architecture Design

Before writing code, let us design our multi-agent architecture.

Agent Roles

We will create four specialized agents:

## Agent Definitions

### 1. Security Reviewer
**Role:** Identify security vulnerabilities and risks
**Focus:**
- Injection vulnerabilities (SQL, XSS, command)
- Authentication/authorization issues
- Data exposure risks
- Insecure dependencies
- Secrets in code

### 2. Performance Reviewer
**Role:** Identify performance issues and optimizations
**Focus:**
- Algorithm complexity
- Database query efficiency
- Memory usage patterns
- Caching opportunities
- Resource leaks

### 3. Quality Reviewer
**Role:** Assess code quality and maintainability
**Focus:**
- Code organization
- Error handling
- Test coverage
- Documentation
- Best practices

### 4. Coordinator
**Role:** Orchestrate agents and synthesize results
**Focus:**
- Dispatch to appropriate agents
- Aggregate findings
- Prioritize issues
- Generate final report

Communication Flow

                        [Coordinator]
                             |
        +--------------------+--------------------+
        |                    |                    |
        v                    v                    v
   [Security]          [Performance]         [Quality]
   [Reviewer]           [Reviewer]          [Reviewer]
        |                    |                    |
        +--------------------+--------------------+
                             v
                      [Report Generator]

Part 2: Building the Coordinator

The coordinator is the main skill that orchestrates everything.

Step 1: Create the Coordinator Skill

Create pr-reviewer.md:

---
name: pr-reviewer
description: Comprehensive PR review using specialized agents
version: 1.0.0
tools:
  - Bash
  - Read
  - Grep
---

# Pull Request Reviewer

Coordinate specialized review agents for comprehensive PR analysis.

## Input

Pull request reference in one of these formats:
- PR number: 123
- PR URL: https://github.com/owner/repo/pull/123
- Current branch with open PR

## Workflow

### Phase 1: Gather PR Data

Use GitHub CLI to fetch PR information:

Get PR details:
gh pr view {pr_number} --json title,body,files,additions,deletions,author

Get changed files:
gh pr diff {pr_number}

Get file list:
gh pr view {pr_number} --json files --jq '.files[].path'

### Phase 2: Analyze Scope

Determine which agents are needed:

1. **Always include:** Quality Reviewer
2. **Include if security-relevant files:**
   - auth/, security/, crypto/
   - Files with passwords, tokens, keys
   - API endpoint changes
3. **Include if performance-relevant:**
   - Database queries
   - Loop operations
   - API calls
   - Large data processing

### Phase 3: Dispatch to Agents

Run applicable agents in parallel for efficiency.

### Phase 4: Aggregate Results

Collect all agent findings and normalize format.

### Phase 5: Generate Report

Create unified report with prioritized action items.

## Output Format

Structured markdown report with:
- Overall assessment
- Section-by-section summary
- Prioritized action items
- Specific line comments

Step 2: Add PR Fetching Logic

## PR Data Collection

### Get Basic Info
Use gh pr view to extract:
- Title and description
- Author information
- Branch names
- File list with change types
- Size metrics

### Get Full Diff
Use gh pr diff for complete diff analysis.

### Handle Large PRs
If PR has more than 20 files or 1000 lines:
1. Focus on most impactful files
2. Summarize others
3. Note that full review was limited

Part 3: Building Specialized Agents

Now let us create each specialized reviewer agent.

Step 3: Security Reviewer Agent

---
name: security-reviewer
description: Reviews code for security vulnerabilities
version: 1.0.0
---

# Security Reviewer Agent

Analyze code changes for security vulnerabilities and risks.

## Focus Areas

### 1. Injection Vulnerabilities

**SQL Injection:**
- String concatenation in SQL queries
- Template literals with user input
- Missing parameterized queries

**XSS (Cross-Site Scripting):**
- Unsafe HTML rendering with user input
- Missing output encoding
- Dynamic content without escaping

**Command Injection:**
- Shell commands with user input
- Process spawning without proper escaping

### 2. Authentication/Authorization

- Missing auth checks on new endpoints
- Inconsistent permission validation
- Session handling issues
- Password handling problems

### 3. Data Exposure

- Sensitive data in logs
- PII in error messages
- Secrets in code
- Unencrypted sensitive storage

### 4. Dependency Risks

- Known vulnerable packages
- Unpinned dependencies
- Suspicious new dependencies

## Output Format

Return findings with severity, location, and recommendations.

Step 4: Performance Reviewer Agent

---
name: performance-reviewer
description: Reviews code for performance issues
version: 1.0.0
---

# Performance Reviewer Agent

Analyze code changes for performance issues and optimization opportunities.

## Focus Areas

### 1. Algorithm Complexity

Identify O(n squared) and worse patterns:
- Nested loops with array searches
- Repeated expensive operations
- Inefficient data structure usage

### 2. Database Queries

Look for N+1 query patterns:
- Queries inside loops
- Missing eager loading
- Inefficient query patterns

### 3. Memory Usage

Check for:
- Large objects in closures
- Unbounded array growth
- Missing cleanup of event listeners

### 4. Caching Opportunities

Identify:
- Repeated expensive computations
- Frequently accessed static data
- API responses that could be cached

## Output Format

Return findings with impact level and suggested improvements.

Step 5: Quality Reviewer Agent

---
name: quality-reviewer
description: Reviews code for quality and maintainability
version: 1.0.0
---

# Quality Reviewer Agent

Analyze code changes for quality, maintainability, and best practices.

## Focus Areas

### 1. Code Organization

- Function length and complexity
- Single responsibility principle
- Clear separation of concerns

### 2. Error Handling

- Unhandled promise rejections
- Missing try/catch in async code
- Swallowed errors
- Informative error messages

### 3. Testing

- New code without tests
- Missing edge case coverage
- Test quality assessment

### 4. Documentation

- Complex functions without comments
- Public APIs without documentation
- Missing README updates

### 5. Best Practices

- Language-specific patterns
- Framework conventions
- Consistent styling

## Output Format

Return findings with priority and improvement suggestions.

Part 4: Implementing Aggregation

The coordinator needs to combine agent outputs effectively.

Step 6: Add Aggregation Logic

## Result Aggregation

### Determine Overall Status

BLOCKED: Any critical security issue
NEEDS_WORK: Any high-severity issue
APPROVED_WITH_SUGGESTIONS: Medium/low issues only
APPROVED: No issues or info-only

### Prioritize Findings

Sort all findings by:
1. Severity (critical > high > medium > low > info)
2. Type (security > quality > performance)
3. Location (same file together)

### Deduplicate

Merge overlapping findings when multiple agents flag the same issue.

### Generate Action Items

Create prioritized list:
1. Must fix (security critical/high)
2. Should fix (quality issues)
3. Consider (performance suggestions)
4. Optional (minor improvements)

Part 5: GitHub Integration

Add the ability to post comments on the PR.

Step 7: Add Comment Posting

## PR Comment Integration

### Post Review Summary
Use gh pr review to post the review with appropriate status.

### Post Line Comments
For specific line feedback, use the GitHub API to add inline comments.

### Set Review Status
Based on findings:
- Approve for clean reviews
- Request changes for blocking issues
- Comment only for suggestions

Part 6: Complete Skill

Here is the complete coordinator skill structure:

---
name: pr-reviewer
description: Comprehensive PR review with specialized agents
version: 2.0.0
tools:
  - Bash
  - Read
  - Grep
arguments:
  - name: pr
    type: string
    required: true
    description: PR number or URL
  - name: post
    type: boolean
    default: false
    description: Post review to GitHub
  - name: focus
    type: string
    default: all
    options: [all, security, performance, quality]
    description: Focus area for review
---

# Pull Request Reviewer

Comprehensive PR review using specialized agents.

## Workflow Overview

1. **Fetch** PR data from GitHub
2. **Dispatch** to specialized agents
3. **Aggregate** findings
4. **Generate** unified report
5. **Post** review (optional)

## Output

Complete review report in markdown format, optionally posted to GitHub.

Testing Your PR Reviewer

Verify everything works together:

## Test Cases

### Test 1: Simple PR
Small PR with few changes.
Expected: Quick, focused review.

### Test 2: Security-Sensitive PR
PR touching auth code.
Expected: Detailed security section.

### Test 3: Performance-Relevant PR
PR with database queries.
Expected: Detailed performance section.

### Test 4: Large PR
PR with many files.
Expected: Summarized review, prioritized issues.

### Test 5: Multi-Issue PR
PR with security, performance, and quality issues.
Expected: All captured, properly prioritized.

Conclusion

You have built a comprehensive PR reviewer that:

1. Coordinates multiple agents for specialized analysis
2. Covers security, performance, and quality perspectives
3. Aggregates and prioritizes findings intelligently
4. Generates actionable review reports
5. Integrates with GitHub for seamless workflow

This skill demonstrates Level 4 multi-agent coordination, showing how specialized agents can work together to produce results beyond what any single agent could achieve.

Key takeaways:

• Design clear agent roles with distinct expertise
• Use parallel execution for independent analysis
• Aggregate thoughtfully with proper prioritization
• Generate actionable, constructive feedback
• Integrate with existing workflows

Your PR reviewer is ready to improve your code review process!