The cheapest bug is the one a senior engineer would have caught in review. The second cheapest is the one a senior engineer catches the morning after. The most expensive is the one that ships to paying users.
Fino's engineering skills target the first category. They are review patterns, not authoring patterns. Their job is to look at code you (or an agent) just wrote and find the things that hurt in production.
Code Reviewer Pattern
The flagship. You paste a diff. The skill runs in five lenses, in parallel:
- Contract review. Did this change a public signature, a return shape, or a side-effect? If yes, who downstream depends on the old shape?
- Silent failure. Are there any catch blocks that swallow errors, any fallbacks that mask bugs, any defaults that hide a real signal?
- Regression risk. Are there any callers of the changed code that this PR does not cover?
- Security. Any new input flowing into a SQL query, a shell exec, an
eval, a file path, a URL, a regex? Any new secret in a log line? - UX impact. If this code is on the user-facing path, what does a paying user see differently after this change?
Each lens produces 0 to 10 findings. The output is severity-tagged. Critical and High get fixed before commit. Medium and Important get filed.
Why five lenses, not one
A single reviewer drifts toward whatever pattern they last got burned on. Five lenses with disjoint prompts cover disjoint failure modes. The overlap is small. The blind spots are smaller.
We learned this the hard way. The Trust-3 audit-trail bug shipped the first time because the silent-failure lens was the only lens looking, and silent failure was not the failure mode. A contract reviewer would have caught it in 30 seconds. We added the contract lens. Future audits caught the next class of bugs.
MCP Wrapper Builder
If you build agentic systems, you spend a lot of time wrapping third-party APIs as MCP tools. The pattern is the same every time: schema, validation, error envelope, test scaffold, doc string. The skill produces all five from a single OpenAPI fragment or a single function signature you paste in.
Median saving per integration: 2 to 4 hours.
Where the skill ends: novel APIs with non-standard auth flows (multi-step OAuth dances, browser captchas, signature schemes). Those still need a human. The skill handles the 80 percent of integrations that fit the standard pattern.
What "pays for itself" actually means
Skills cost. Each fire of the Code Reviewer Pattern costs roughly $0.04 in tokens. A 1,500-LOC PR runs the pattern in roughly $0.12. The marginal cost is negligible.
The savings are not negligible. One Critical bug caught in pre-commit review costs $0.12 to find. The same bug found in production costs roughly 4 to 8 hours of incident response, plus reputation damage, plus the rework. Median cost-avoided per Critical sits in the $400 to $2,000 range. The math is not subtle.
That math is the math we use to decide which skills ship as cost-class "light" (run by default on every diff) versus "medium" (run on user request).
How we use it ourselves
Every commit in our own production repo (Fino) runs the Code Reviewer Pattern. Cross-cutting diffs run a 5-lens parallel pass via the /ship command. The reports go to the commit body. The Critical and High findings are fixed inline before push. The Medium and Important findings are filed into a queue that gets a sweep at the end of each session.
This is not a process we evangelize at you. It is the process we use because the math works.
What we do not pretend
The skill is not a replacement for a senior engineer. It is a multiplier on the senior engineer you already have (which, if you are a solo founder, is you). It catches the patterns you can describe. It misses the patterns you cannot. A skilled human reviewer with deep context still catches subtle things the skill misses.
The skill is also not a security auditor. It catches common security patterns (SQL injection shapes, shell injection shapes, secret leakage shapes). For a real security review, you want a real security review.
Where to use it
If you are shipping production code, you should run the Code Reviewer Pattern on every cross-cutting diff. The cost is 12 cents. The downside is finding a bug. There is no downside-of-downside.
If you are building agents, you should run the MCP Wrapper Builder on every new integration. The cost is the same. The saving is hours.
If you are doing neither, you probably do not need either skill. The catalog is large enough that something else will close a loop you actually run.