$ phreaker init

AI code review
that doesn't sleep.

Senior-level pull request analysis on every push. Catches bugs, security holes, and code smells before merge. Powered by Xiaomi MiMo.

Install on GitHub →Watch live demo

30 PR/month free · No credit card

14.2k

PRs reviewed

2,847

Bugs caught

312

Security issues

98.4%

Dev satisfaction

// FEATURES

What Phreaker catches

Trained on millions of real PRs and CVEs.

[01]

Security vulnerabilities

SQL injection, XSS, exposed secrets, unsafe deserialization, command injection. Cross-references CVE database.

[02]

Logic bugs

Off-by-one errors, null derefs, race conditions, incorrect state transitions, side effects in render.

[03]

Performance issues

N+1 queries, unnecessary re-renders, blocking I/O on hot path, leaking event listeners, unbounded loops.

[04]

Style & convention

Project-specific style learned from your repo history. No generic rule-set spam.

[05]

Test coverage gaps

Flags new logic without corresponding tests. Suggests test cases for edge conditions.

[06]

Architecture drift

Detects when changes violate documented architecture (ADRs, AGENTS.md, CONTRIBUTING.md).

// LIVE DEMO

Watch it review a real PR

This is the actual MiMo output on a vulnerable Express endpoint. No cherry-picked examples.

PR #142 · feat: get user by id

phreaker-bot

api/users.ts

diff --git a/api/users.ts b/api/users.ts
@@ -12,8 +12,15 @@ export async function getUser(req: Request) {
   const id = req.params.id;
-  const user = await db.query(
-    `SELECT * FROM users WHERE id = '${id}'`
-  );
+  const user = await db.query(
+    `SELECT * FROM users WHERE id = ${id}`
+  );
   return Response.json(user);
 }

3 issues found · 1 critical · 1 high · 1 medium

CRITICALsecurity

L14

SQL injection vulnerability

User input is interpolated directly into the SQL query. An attacker can pass `1 OR 1=1; DROP TABLE users;--` and exfiltrate or destroy data. Use parameterized queries.

const user = await db.query('SELECT * FROM users WHERE id = $1', [id]);

HIGHvalidation

L13

No input validation on `id`

The `id` field is consumed without validation. If the column is integer, non-numeric input crashes the query and leaks stack traces.

if (!/^[0-9]+$/.test(id)) return new Response('Bad Request', { status: 400 });

MEDIUMerror-handling

L16

Missing error boundary

If the DB query rejects, the unhandled promise leaks to the runtime and returns 500 with no log context. Wrap in try/catch and log structured error.

// PRICING

Free to start. Pay only at scale.

Every plan includes unlimited repos. Limits are per-PR-per-month.

Hobby

$0/forever

+30 PRs / month
+Public repos only
+Community Discord

Install

Pro

$29/month

+500 PRs / month
+Private repos
+Custom rules per repo
+AGENTS.md aware
+Email support

Start 14-day trial

Team

$199/month

+Unlimited PRs
+5 seats
+SSO + audit log
+Slack + Linear
+Priority support

Talk to sales

AI code reviewthat doesn't sleep.