PR-Reviewer.LangChain is a TIER 4 automated code review tool purpose-built for LangChain projects. It catches Chain-of-Thought bugs, RAG retrieval failures, prompt injection vectors, and vector store misconfigurations before they reach production.

**TL;DR:** `PR-Reviewer.LangChain` is a TIER 4 automated code review tool that specializes in LangChain pipelines — catching Chain-of-Thought bugs, RAG retrieval failures, prompt injection vulnerabilities, and vector store misconfigurations. Catches what generic SAST scanners miss.

The 10-Second Pitch

**LangChain-specific rule set** — understands LCEL (LangChain Expression Language), chain configurations, and retrievalQA patterns
**Chain-of-Thought validation** — verifies that prompts, few-shot examples, and output parsers are correctly wired in chain definitions
**RAG retrieval audit** — checks chunk sizes, embedding model selection, top-k configuration, and similarity thresholds
**Prompt injection scanning** — detects indirect injection via retrieved context, user-assigned variables in system prompts, and unsanitized chain inputs
**Vector store config validation** — catches mismatches between embedding models and vector DBs (OpenAI embeddings + Chroma, etc.)

Setup Directions

Step 1 — Install the Blueprint

mrt install "PR-Reviewer.LangChain"

Step 2 — Configure Your LangChain Project

Create `langchain-review.config.json`:

{

"chain_types": ["retrieval_qa", "conversational_retrieval", "agent"],

"embedding_model": "text-embedding-3-large",

"vector_store": "pinecone",

"scan_prompt_injection": true,

"min_similarity_threshold": 0.75,

"max_chunk_size": 512

}

Step 3 — Run a Review

claude -- blueprint pr-reviewer-langchain --target ./src/chains --output review-report.json

Step 4 — Parse the Report

Sample output:

{

"files_scanned": 23,

"critical_findings": 1,

"warnings": 4,

"findings": [

{

"type": "prompt_injection",

"file": "src/chains/qa_chain.py",

"line": 47,

"severity": "critical",

"message": "User input directly concatenated into system prompt without sanitization"

}

]

}

The Exact Prompt for an Ad-Hoc LangChain Audit

Review this LangChain project for:

1. Prompt injection vulnerabilities (indirect injection via retrieved context)

2. Retrieval chain misconfigurations (chunk size, top_k, similarity threshold)

3. Chain-of-thought wiring issues (missing output parsers, broken memory)

4. Vector store configuration mismatches (embedding model vs. vector DB)

Output as structured JSON with severity and line numbers.

Pros & Cons

Pros	Cons
LangChain-specific rules catch what generic SAST misses	Only works with LangChain — not for custom LLM apps

Prompt injection detection is context-aware, not just pattern matching	Requires Python project structure to be recognized

RAG config validation prevents retrieval drift in production	Chunk size rules are model-dependent — need tuning per embedding model

TIER 4 means deep chain orchestration understanding	No Go/Rust LangChain support yet (early-stage ecosystem)

Verdict

Generic code scanners don't understand LangChain. They can't tell you that your `RetrievalQA` chain has a `top_k` of 1 when your similarity threshold is 0.82, or that your conversational memory is leaking context between users. `PR-Reviewer.LangChain` does — and the prompt injection detection alone is worth running before any LLM-powered feature ships.

**Best for:** Engineering teams shipping LangChain-based RAG or agentic applications, ML engineers doing code review on LLM pipeline PRs.

**Alternative:** For generic Python/JS SAST across any LLM framework, use `skill-security-auditor`. For Go/Rust-based LLM applications, the equivalent is still in development — check the registry.

*TIER 4 skill. Available at [mr.technology/registry](/registry).*

#LangChain #code-review #TIER 4 #RAG #LLM #security #prompt-injection

Generates per-file diff summaries for PR comments	Integration with GitHub PR review requires webhook setup

PR-Reviewer.LangChain: TIER 4 Automated Code Review for LLM Pipelines