Review Prisma Patterns
This skill performs systematic code review of Prisma usage, catching critical violations, security vulnerabilities, and performance anti-patterns identified through comprehensive stress testing of AI coding agents.
<role> This skill systematically reviews Prisma codebases for 7 critical violation categories that cause production failures, security vulnerabilities, and performance degradation. Based on real-world failures found in 5 AI agents producing 30 violations during stress testing. </role> <when-to-activate> This skill activates when: - User requests code review of Prisma-based projects - Performing security audit on database operations - Investigating production issues (connection exhaustion, SQL injection, performance) - Pre-deployment validation of Prisma code - Working with files containing @prisma/client imports </when-to-activate> <overview> The review checks for critical issues across 7 categories:
- •Multiple PrismaClient Instances (80% of agents failed)
- •SQL Injection Vulnerabilities (40% of agents failed)
- •Missing Serverless Configuration (60% of agents failed)
- •Deprecated Buffer API (Prisma 6 breaking change)
- •Generic Error Handling (Missing P-code checks)
- •Missing Input Validation (No Zod/schema validation)
- •Inefficient Queries (Offset pagination, missing select optimization)
Each violation includes severity rating, remediation steps, and reference to detailed Prisma 6 skills. </overview>
<workflow> ## Standard Review WorkflowPhase 1: Discovery
- •
Find all Prisma usage:
- •Search for @prisma/client imports
- •Identify PrismaClient instantiation
- •Locate raw SQL operations
- •
Identify project context:
- •Check for serverless deployment (vercel.json, lambda/, app/ directory)
- •Detect TypeScript vs JavaScript
- •Find schema.prisma location
Phase 2: Critical Issue Detection
Run validation checks in order of severity:
- •CRITICAL: SQL Injection (P0 - Security vulnerability)
- •CRITICAL: Multiple PrismaClient (P0 - Connection exhaustion)
- •HIGH: Serverless Misconfiguration (P1 - Production failures)
- •HIGH: Deprecated Buffer API (P1 - Runtime errors)
- •MEDIUM: Generic Error Handling (P2 - Poor UX)
Phase 3: Report Generation
- •Group findings by severity
- •Provide file path + line number
- •Include code snippet
- •Reference remediation skill
- •Estimate impact (Low/Medium/High/Critical) </workflow>
P0 - CRITICAL (Must fix before deployment)
1. SQL Injection Detection
grep -rn "\$queryRawUnsafe\|Prisma\.raw" --include="*.ts" --include="*.js" .
Red flag: String concatenation with user input
Fix: Use $queryRaw tagged template
2. Multiple PrismaClient Instances
grep -rn "new PrismaClient()" --include="*.ts" --include="*.js" . | wc -l
Red flag: Count > 1 Fix: Global singleton pattern
P1 - HIGH (Fix before production)
3. Missing Serverless Configuration
grep -rn "connection_limit=1" --include="*.env*" .
Red flag: No connection_limit in serverless app
Fix: Add ?connection_limit=1 to DATABASE_URL
4. Deprecated Buffer API
grep -rn "Buffer\.from" --include="*.ts" --include="*.js" . | grep -i "bytes"
Red flag: Buffer usage with Prisma Bytes fields Fix: Use Uint8Array instead
See references/validation-checks.md for complete validation patterns with examples.
</validation-checks>
Step 1: Find Prisma Files
find . -type f \( -name "*.ts" -o -name "*.js" \) -exec grep -l "@prisma/client" {} \;
Step 2: Run All Checks
Execute checks in severity order (P0 → P3):
- •SQL Injection check
- •Multiple PrismaClient check
- •Serverless configuration check
- •Deprecated Buffer API check
- •Error handling check
- •Input validation check
- •Query efficiency check
Step 3: Generate Report
Format:
Prisma Code Review - [Project Name] Generated: [timestamp] CRITICAL Issues (P0): [count] HIGH Issues (P1): [count] MEDIUM Issues (P2): [count] LOW Issues (P3): [count] --- [P0] SQL Injection Vulnerability File: src/api/users.ts:45 Impact: CRITICAL - Enables SQL injection attacks Fix: Use $queryRaw tagged template Reference: @prisma-6/SECURITY-sql-injection [P0] Multiple PrismaClient Instances Files: src/db.ts:3, src/api/posts.ts:12 Count: 3 instances found Impact: CRITICAL - Connection pool exhaustion Fix: Use global singleton pattern Reference: @prisma-6/CLIENT-singleton-pattern
Provide structured review with:
Summary:
- •Total files reviewed
- •Issues by severity (P0/P1/P2/P3)
- •Overall assessment (Pass/Needs Fixes/Critical Issues)
Detailed Findings: For each issue:
- •Severity badge ([P0] CRITICAL, [P1] HIGH, etc.)
- •Issue title
- •File path and line number
- •Code snippet (5 lines context)
- •Impact explanation
- •Specific remediation steps
- •Reference to detailed skill
Remediation Priority:
- •P0 issues must be fixed before deployment
- •P1 issues should be fixed before production
- •P2 issues improve code quality
- •P3 issues optimize performance
MUST:
- •Check all 7 critical issue categories
- •Report findings with file path + line number
- •Include code snippets for context
- •Reference specific Prisma 6 skills for remediation
- •Group by severity (P0 → P3)
SHOULD:
- •Prioritize P0 (CRITICAL) issues first
- •Provide specific fix recommendations
- •Estimate impact of each violation
- •Consider project context (serverless vs traditional)
NEVER:
- •Skip P0 security checks
- •Report false positives without verification
- •Recommend fixes without testing patterns
- •Ignore serverless-specific issues in serverless projects
For detailed information on specific topics:
- •Validation Checks: See
references/validation-checks.mdfor all 7 validation patterns with detailed examples - •Example Reviews: See
references/example-reviews.mdfor complete review examples (e-commerce, dashboard)
Load references when performing deep review or encountering specific violation patterns. </progressive-disclosure>
<validation> ## Review ValidationAfter generating review:
- •
Verify Findings:
- •Re-run grep commands to confirm matches
- •Check context around flagged lines
- •Eliminate false positives
- •
Test Remediation:
- •Verify recommended fixes are valid
- •Ensure skill references are accurate
- •Confirm impact assessments
- •
Completeness Check:
- •All 7 categories checked
- •All Prisma files reviewed
- •Severity correctly assigned
Integration: This skill is discoverable by the review plugin via review: true frontmatter. Invoke with /review prisma-patterns or automatically when reviewing Prisma-based projects.
Performance: Review of typical project (50 files) completes in < 10 seconds using grep-based pattern matching.
Updates: As new Prisma violations emerge, add patterns to validation checks with corresponding skill references.