the catalog · skills
97 Claude Code skills
Workflows that teach Claude Code your process. Installed skills become slash commands — install owasp-top10 and /owasp-top10 is ready in your next session.
- api-paginationfree
Implement correct, fast API pagination — cursor vs offset trade-offs, opaque cursor encoding, stable sort keys, page-size limits, total-count costs, and consumer-side iteration that survives inserts, deletes, and retries. With runnable cursor checks.
How to optimize an app-store listing (ASO) for discovery and conversion — title, subtitle, keywords, screenshots, icon, ratings, and the metadata that drives installs. A deep reference with worked Apple and Google listings and a runnable listing linter.
Design tamper-evident audit logs that satisfy security and compliance — what to record (who/what/when/where/outcome), what to never log (secrets/PII), structured immutable events, hash-chaining for tamper-evidence, retention, and access control. A deep reference with runnable validation.
Design background job systems that don't lose or double work — enqueue-after-commit, retry policies with jitter, idempotent handlers, visibility timeouts, priority lanes, scheduled and recurring jobs, worker scaling, and observability for async work. With a runnable retry-policy check.
Design and operate a tested backup and disaster-recovery strategy — the 3-2-1 rule, RPO/RTO targets, full vs incremental vs differential, point-in-time recovery, encryption, offsite/immutable copies, retention, and the restore drills that prove a backup actually works.
Document software architecture with the C4 model (Context, Container, Component, Code) as text-based diagrams in version control. Covers the four abstraction levels, notation discipline, when to draw each level (and when to stop), supplementary diagrams, and Mermaid/Structurizr tooling.
Deep reference for caching — what to cache, cache-aside vs read/write-through/write-behind, TTLs with jitter, eviction (LRU/LFU/FIFO), invalidation, and surviving stampedes (thundering herd / dogpile). Worked examples and a runnable jitter check.
How to write and maintain a changelog humans actually read — Keep a Changelog structure, an Unreleased section, the six standard categories (Added/Changed/Deprecated/Removed/Fixed/Security), SemVer linkage, and when to hand-write vs auto-generate from conventional commits. Includes a runnable linter.
How to reduce customer churn — separating voluntary from involuntary churn, scoring account health from leading signals, running save and win-back plays, and fixing root causes. A deep reference with worked examples and a runnable churn calculator.
Design fast, reliable CI/CD pipelines — fail-fast staged checks (lint→test→build→scan→deploy), dependency and build caching, artifact passing, matrix builds, merge-blocking gates, and least-privilege secrets (OIDC, SAST). A deep reference with runnable checks.
Cut cloud spend without cutting reliability — rightsizing from utilization data, spot and commitment strategy, storage lifecycle rules, egress traps, tagging for cost attribution, unit economics per request/customer, and a monthly FinOps review loop that sticks.
How to write cold outreach that earns replies — relevance-first openers, specific personalization, one low-friction ask, tight subject lines, and a graceful follow-up cadence. A deep reference with worked examples and a runnable linter.
How to plan and run a content calendar that balances pillars, formats, and channels around goals — cadence design, content mix, batching and repurposing, and a runnable validator. A deep reference with worked examples and executable checks.
How to read a business contract for the terms that matter most — liability, indemnity, IP, termination, payment, and auto-renewal — and spot red flags. Deep reference with clause checklists, worked examples, and a runnable risk-flag scanner.
Write Conventional Commits — the type(scope)!: subject + body + footer spec — so history is readable and changelogs and SemVer bumps can be derived automatically. Use when committing, configuring commitlint, designing release tooling, or deciding feat vs fix vs breaking change.
Proven copywriting frameworks (AIDA, PAS, BAB, FAB, the 4 Ps/4 Us) and when to use each to structure persuasive marketing copy. A deep reference with worked before/after examples and a runnable framework validator.
Design data models that make invalid states impossible — entities & relationships, normalization (1NF–3NF) vs deliberate denormalization, keys & indexing, relational vs document/NoSQL, OLTP vs OLAP, and schema evolution. Deep reference with SQL examples and a runnable schema linter.
Turn data into a decision — lead with the insight, choose the right chart for the intent, frame it for the audience, and drive to an action. A deep reference with worked examples and a runnable chart-picker.
Validate untrusted data at boundaries with schema-based contracts — types, ranges, enums, regex, uniqueness, referential integrity, freshness — so bad input is rejected with precise errors at ingestion, not found later in a dashboard. Covers Zod/Pydantic/JSON-Schema, sanitization vs validation, parse-don't-validate.
How to write safe, reversible, zero-downtime database schema migrations — additive-first changes, the expand/migrate/contract pattern, batched backfills, concurrent index builds, safe NOT NULL, rollbacks, and the locking pitfalls that cause outages. A deep reference with runnable checks.
Scale a relational database under growing load in the right order — query/index tuning, connection pooling, read replicas and replication lag, caching, table partitioning, and sharding. Covers CQRS, hot keys, and the trade-offs of each step. Deep reference with runnable checks.
Deploy without fear — blue-green vs canary vs rolling trade-offs, database migrations during deploys (expand/contract), rollback design and its limits, smoke tests as promotion gates, coordinating multi-service releases, and decoupling release from deploy with flags.
How DNS actually works and how to change it safely — record types (A/AAAA/CNAME/MX/TXT/NS/SOA/CAA), TTL and propagation, the CNAME-at-apex problem, email auth (SPF/DKIM/DMARC), and dig-based troubleshooting. Deep reference with runnable record validation.
Author small, secure, fast-building container images — multi-stage builds, layer caching, non-root/distroless hardening, .dockerignore, size optimization, and HEALTHCHECK. Use when writing or reviewing a Dockerfile, shrinking image size, or fixing slow/insecure builds.
How to architect a documentation set with the Diátaxis framework — separating tutorials, how-to guides, reference, and explanation, then wiring information architecture, navigation, audience mapping, search, and docs-as-code so each reader lands on the page they need. With examples and a runnable structure linter.
Deep reference for reliable Playwright E2E tests — role/accessible locators over CSS, web-first assertions and auto-waiting (no hard sleeps), fixtures and storageState auth reuse, network mocking, flakiness reduction, and CI sharding/traces. Worked TS specs plus a runnable spec linter.
How to handle errors explicitly and consistently across an app — validate at boundaries, classify operational vs programmer errors, add context while propagating, retry transient failures with backoff, and never swallow. Covers JS/Python/Go/Rust patterns with runnable checks.
Design event-driven systems that stay consistent — queues vs streams, pub/sub topology, idempotent consumers, the transactional outbox, sagas for multi-service workflows, dead-letter queues, ordering guarantees, and event schema evolution without breaking consumers.
Engineer ML features safely and effectively — feature types, encoding (one-hot/target/ordinal), scaling, missing-value and outlier handling, feature selection, pipelines and feature stores, and above all avoiding target leakage and train/serve skew. Deep reference with runnable leakage checks.
Ship behind flags and learn from experiments — progressive rollouts, kill switches, deterministic bucketing, flag lifecycle and debt cleanup, A/B test design with guardrail metrics, sample-size sanity, and avoiding peeking. With a runnable bucketing check.
How to build a clear, drivable financial model — three-statement linkage, driver-based forecasting, explicit assumptions, scenarios, sensitivity, and cash runway. A deep reference with worked examples and a runnable projection.
Choose the right home for every piece of frontend state — server, client, URL, form, and derived — so React/TS apps stay predictable and never store the same truth twice. Covers TanStack Query vs Zustand/Jotai/Redux/signals, normalization, colocation, and the duplication traps that cause stale UI.
Structure a robust game loop — fixed vs variable timestep, the "fix your timestep" accumulator, decoupling update from render with interpolation, determinism for replays/netcode, and the spiral-of-death guard. A deep reference with worked traces and a runnable simulator.
Keep games at a stable frame rate. Use when a game stutters, drops frames, or hitches — budgeting the 16.6ms frame, profiling CPU vs GPU bottlenecks, object pooling to avoid GC spikes, draw-call batching, culling, spatial partitioning, and data-oriented design.
Build core GDPR obligations into software — lawful basis, data-subject rights (access/erasure/portability/rectification), consent, data minimization, processor/DPA duties, breach notification (72h), and DPIAs. Use when handling EU personal data, designing consent flows, or responding to DSRs.
Run git collaboration that scales — trunk-based vs git-flow decided by deploy cadence, branch protection and required checks, PR sizing and review etiquette, monorepo vs polyrepo trade-offs, release branches and hotfixes, and history hygiene with disciplined merges.
Design GraphQL APIs that survive production — schema modeling, resolver patterns, the N+1 problem and dataloaders, connection-style pagination, error handling, field-level authorization, federation vs monolith, and query cost limiting. With schema and dataloader examples.
Run a production incident from detection to postmortem — severity classification & SLAs, roles (Incident Commander, comms, ops), the detect→triage→mitigate→resolve→review workflow, status-comms cadence, and blameless retrospectives. A deep reference with templates and a runnable severity classifier.
Internationalize correctly from the start — ICU MessageFormat and plural rules, RTL layouts with logical CSS properties, locale-aware dates/numbers/currency via Intl, translation-key hygiene and workflow, encoding pitfalls, and pseudo-localization testing in CI.
Designing structured hiring interviews that predict job performance fairly — competency modeling, behavioral/STAR question design, consistent scoring rubrics, interviewer calibration, and bias reduction. A deep reference with worked examples and a runnable kit check.
Connect IoT fleets reliably — choosing MQTT/CoAP/HTTP/LoRaWAN, MQTT QoS and topic design, device provisioning and identity, OTA updates, surviving intermittent links (store-and-forward, last-will), and per-device TLS security. Deep reference with worked examples and a runnable topic validator.
How to write job descriptions that attract strong, diverse candidates — outcome-focused responsibilities, realistic must-have vs nice-to-have requirements, inclusive bias-free language, and honest logistics. A deep reference with worked examples and a runnable linter.
How to write self-service help articles that deflect tickets — task-focused titles, findable structure, clear steps, and maintenance loops. A deep reference with worked examples and a runnable article check.
Conventions for writing production-grade Kubernetes manifests — Deployments, Services, Ingress, liveness/readiness/startup probes, resource requests/limits and QoS, securityContext hardening, ConfigMap/Secret wiring, rolling updates, HPA, PDB, and labels/selectors. Deep reference with worked YAML and a runnable linter.
Modernize legacy systems without a rewrite bet — strangler-fig migration, finding seams, characterization tests before touching anything, anti-corruption layers, incremental database decomposition, and the rewrite-vs-refactor decision made with evidence.
Operating Linux servers with confidence — users/groups and octal permissions (setuid/setgid/sticky), systemd units and journald, process/disk/network triage (ps/top/df/ss/lsof), log inspection, and baseline hardening. A deep reference with runnable checks and copy-paste assets.
Deep, practical guide to evaluating LLM outputs — building eval datasets, choosing reference-based vs LLM-as-judge vs pairwise/Elo vs human scoring, picking metrics (exact/F1, faithfulness, calibration), regression gating in CI, and controlling judge bias and variance. Includes runnable scorer.
Distribute traffic across instances for scale and reliability — L4 vs L7, algorithms (round-robin, weighted, least-connections, consistent-hash), active/passive health checks, sticky sessions, connection draining, and TLS termination, with runnable nginx/haproxy examples.
How to size and understand a market without fooling yourself — TAM/SAM/SOM sizing, customer segmentation, competitive analysis, and combining secondary and primary research. A deep reference with worked examples and a runnable sizing check.
Build MCP servers agents can actually use — tool schema design that models route correctly, resources vs tools vs prompts, stdio and HTTP transports, auth patterns, error surfaces that help the model recover, and testing servers against real agent loops.
How to structure meeting notes so they drive action afterward — separating decisions from discussion, capturing action items with an owner and due date every time, and using meeting-type templates. A deep reference with worked examples and a runnable validator.
Platform-aware mobile UI patterns for iOS and Android — navigation (tabs/stack/drawer), touch targets and thumb zones, gestures and feedback, safe areas and notches, list virtualization, and designing loading/empty/error/offline states. Deep reference with examples and a runnable touch-target check.
How to evaluate ML models honestly — task-appropriate metrics (classification vs regression), train/val/test splits and cross-validation, baselines, confusion matrices, class imbalance, data leakage, and overfitting vs underfitting. Use when measuring, comparing, or reporting model quality.
How to handle sales objections honestly and effectively — acknowledge, clarify the real concern, reframe with evidence, and confirm. Covers price, timing, trust, and competitor objections, proven frameworks, and reframing techniques, with worked scripts and a runnable structure check.
- offline-syncpro
Build offline-first apps that work without a connection — local-first reads, an outbox/mutation queue, optimistic UI, idempotent replay on reconnect, delta sync with cursors and tombstones, and conflict resolution (last-write-wins vs CRDTs). Use when designing sync for mobile or flaky-network clients.
- okr-writingpro
How to write effective OKRs — qualitative objectives paired with measurable key results — that drive focus instead of becoming a task list. A deep reference with worked examples and a runnable validator.
- owasp-top10free
A deep prevention reference for the OWASP Top 10 web risks — broken access control, injection, crypto failures, insecure design, SSRF and more — with vulnerable-vs-fixed code, edge cases, and a runnable naive-vulnerability scanner.
Integrate payments without losing money — idempotency keys on every charge, webhook-driven state (never redirect-driven), PCI scope boundaries, SCA/3DS flows, subscription lifecycle and dunning, refunds and disputes, reconciliation, and test-mode discipline. Provider-agnostic patterns.
How to write fair, useful performance reviews — specific evidence over vague impressions, behavior-based feedback (SBI/STAR), balanced strengths and growth areas, bias avoidance, and concrete next steps. A deep reference with worked examples and a runnable linter.
How to set and structure pricing — value-based pricing, good-better-best tiering and packaging, psychological anchoring, discounting, and price testing — to capture value without deterring buyers. A deep reference with worked examples and a runnable tier check.
Decision frameworks for prioritizing product and engineering work — RICE, ICE, MoSCoW, Kano, weighted scoring, and Cost of Delay / WSJF — with guidance on which lens fits which decision, how to score honestly, and how to avoid false precision. Deep reference with worked examples and a runnable RICE ranker.
How to draft a privacy policy that is accurate, readable, and covers the required elements — what data you collect, why, legal basis, sharing, retention, and user rights. A draft to finalize with counsel.
Choosing and operating product metrics that reflect real value — North Star definition, the AARRR pirate funnel, activation/retention/engagement, leading vs lagging indicators, guardrail metrics, cohort analysis, and avoiding vanity metrics. Deep reference with worked examples and a runnable cohort-retention check.
A deep, practical guide to engineering reliable LLM prompts — role/context, instructions, few-shot, structured output, chain-of-thought, delimiting untrusted data, injection defense, and evaluation. Includes worked prompts and a runnable output validator.
- rag-patternspro
Deep, practical guide to retrieval-augmented generation that actually grounds answers — chunking, embeddings, vector + hybrid/BM25 search, reranking, context assembly, citation, and evaluation. Includes worked configs, a grounding prompt template, and a runnable chunker.
- readme-writingfree
How to write a README that gets a project understood and running fast — lead with what/why, a 60-second quickstart, then usage, config, contributing, and license. Covers required sections, show-don't-tell examples, scannability, badges, and failure modes. Use when writing or auditing a project README.
Build realtime features that survive production — WebSockets vs SSE vs polling trade-offs, connection lifecycle, reconnect with backoff and event resume, heartbeats, presence, horizontal fan-out via pub/sub, backpressure, and graceful degradation when connections drop.
Improve code structure without changing behavior — the discipline of small, named, test-backed moves. Extract function/variable, inline, rename, replace conditional with polymorphism, introduce parameter object, guard clauses. Recognize smells, refactor safely, avoid big-bang rewrites.
Design a fast, trustworthy regression strategy — turn every fixed bug into a permanent test, tier suites (smoke/full/nightly), select only impacted tests via test-impact analysis, and detect/quarantine flaky tests so red always means broken. Use when CI is slow, flaky, or regressions keep shipping.
Build fluid, responsive web layouts from 320px to ultrawide with modern CSS — mobile-first, fluid type/space via clamp(), intrinsic CSS grid/flex, container queries vs breakpoints, intrinsic sizing, avoiding fixed px and layout shift. Deep reference with examples and a runnable breakpoint check.
- rest-api-designfree
Conventions for designing clean, consistent, evolvable REST APIs — resource modeling, HTTP semantics, status codes, pagination, filtering, error envelopes, versioning, idempotency, and security. A deep reference with worked examples and runnable checks.
How to build a product roadmap that communicates strategy — outcome-based themes over feature lists, Now/Next/Later horizons, prioritization, and honest time framing. A deep reference with worked examples and a runnable structure check.
RTOS firmware patterns — preemptive priority scheduling, ISR discipline (short handlers, deferred work, ISR-safe APIs), queues/semaphores/mutexes, priority inversion and inheritance, static vs dynamic allocation, stack sizing, and watchdogs. Use when writing or reviewing real-time embedded firmware (FreeRTOS/Zephyr).
Write operational runbooks an on-call engineer can follow at 3am with zero context — exact triggers, preconditions, numbered copy-pasteable steps, per-step verification, rollback, and escalation. Deep reference with a template, a worked example, and a runnable linter.
How to run effective sales discovery — qualification frameworks (BANT, MEDDIC), SPIN questioning, quantifying pain, and mapping the decision process. A deep reference with worked call examples and a runnable qualification check.
Implement search that finds things — full-text mechanics (analyzers, BM25), vector/semantic search and hybrid ranking with RRF, relevance evaluation with golden queries, indexing pipelines that stay in sync, typo tolerance, facets, and when Postgres is enough.
Handle secrets safely across the lifecycle — keep them out of source, load from env or a secret manager, scope to least privilege, encrypt in transit and at rest, rotate on a schedule, and respond fast when one leaks. Deep reference with runbooks, examples, and a runnable leak scanner.
- secure-authfree
Implement authentication securely — authentication vs authorization, password hashing (argon2id/bcrypt), sessions vs JWT (storage, expiry, refresh, revocation), MFA, OAuth2/OIDC flows, and defenses against credential stuffing, session fixation, and CSRF. Worked examples + a runnable password-policy check.
- seo-on-pagepro
On-page SEO — search-intent matching, title tags, meta descriptions, heading structure, internal linking, URLs, image alt text, and structured data that ranks without keyword stuffing. A deep reference with worked examples and a runnable linter.
Define reliability numerically — choosing SLIs users actually feel, setting SLO targets, error budgets and multi-window burn-rate alerting, latency percentiles done right, and using budget burn to arbitrate reliability work vs features. With a runnable burn-rate check.
Deep reference for securing Solidity/EVM smart contracts — reentrancy, access control, oracle/price manipulation, integer over/underflow, delegatecall, unchecked external calls, and front-running/MEV — with vulnerable-vs-fixed code, an audit checklist, fuzzing guidance, and a runnable vuln scanner.
Get audit-ready for SOC 2 — scope the Trust Services Criteria, build a controls-to-evidence matrix, write the policies auditors check, choose Type I vs Type II, and close the gaps that fail audits. Deep reference with worked examples and a runnable coverage check.
Battle-tested Solidity/EVM patterns for safe smart contracts — checks-effects-interactions, reentrancy guards, access control (Ownable/roles), pull-over-push payments, gas & storage-layout optimization, events, and proxy upgradeability trade-offs. Deep reference with runnable Solidity-source linter.
How to judge whether a source deserves trust before you cite it — authority, evidence, currency, bias, and corroboration — using the CRAAP test, primary-vs-secondary reasoning, and bias detection. A deep reference with worked examples and a runnable scorer.
- sql-index-tuningfree
Diagnose slow SQL queries and add the right indexes without over-indexing — B-tree mechanics, composite ordering (equality-before-range), the leftmost-prefix rule, covering/index-only scans, reading EXPLAIN ANALYZE, selectivity, and write-amplification costs. Worked SQL examples and a runnable index-suggester.
How to write support replies that resolve and reassure — acknowledgement and empathy, clear solutions or honest next steps, expectation-setting, de-escalation, and brand-appropriate tone. A deep reference with worked replies and a runnable linter.
Deep reference for scaling systems — load balancers, caches, queues, replicas, sharding, CDNs, CAP and consistency models, idempotency, and back-of-envelope capacity estimation. Use when designing a scalable backend, sizing infrastructure, or answering a system-design interview/RFC.
The networking fundamentals every engineer needs — the layered model and encapsulation, IPv4 addressing/subnetting/CIDR, TCP vs UDP, the 3-way handshake and connection states, ports/sockets, NAT, MTU/fragmentation, and diagnosing issues with ping/traceroute/ss. Deep reference with runnable subnet math.
How to draft terms of service covering the essentials — acceptable use, accounts, payment, liability limits, indemnification, termination, changes, governing law, and dispute resolution. A deep reference with worked examples and a runnable section check. Informational only, not legal advice.
- test-plan-designfree
How to design a test plan — scope and risk-based prioritization, the test pyramid, case-design techniques (equivalence partitioning, boundary values, decision tables), entry/exit criteria, coverage and requirement traceability, test data and environments. Deep reference with a runnable coverage-gap check.
Analyze unit economics — CAC, LTV, contribution margin, and CAC payback — to judge whether a business model actually makes money per customer. A deep reference with worked examples and a runnable calculator.
How to design and run user (product/UX) research interviews that yield honest insight — non-leading questions, past-behavior focus, participant recruiting, bias avoidance, and synthesis. A deep reference with a discussion guide, an annotated transcript, and a runnable question linter.
How to write user stories and acceptance criteria that are small, testable, and valuable — using INVEST, Given-When-Then, and disciplined story splitting. A deep reference with worked examples and a runnable validator.
Run a goal end-to-end as a gated pipeline of specialist agents — reproduce → test → patch → review → commit — where nothing advances past a gate until its exit condition holds and the required agent has signed off. Use when a task needs several agents in sequence with checkpoints, not a single one-shot answer.
- vanara-routefree
Given a task, find the best-fit installed Vanara agent and run it. Reads the installed agent roster, scores each by how well its stated purpose matches the task, delegates to the strongest match, and — when nothing fits — records the gap so you can request the missing agent. Use when you are not sure which specialist …
Deep, practical reference for building WCAG 2.2 AA-conformant web UIs — POUR principles, semantic HTML, keyboard operability and visible focus, ARIA done right, color contrast, accessible forms, and screen-reader basics. Includes worked HTML examples and a runnable contrast checker.
Design and consume webhooks reliably — HMAC signature verification, timestamp/replay protection, fast 2xx acknowledgement, consumer idempotency via event-id dedupe, at-least-once delivery, retries with exponential backoff + dead-letter, ordering, and payload design. Deep reference with runnable checks.