matt-skills
A Claude Code skill library, built from real work.
23 named slash commands that make Claude Code make stronger calls by default — decisions, code review, performance, shipping, and writing. Browse the whole catalog below. The full pack installs in any project.
The catalog
Every skill in the pack. Click any one to read what it does.
Showing 23 of 23 skills
agent-exploit-paths
Claude Code skill
Prove and rank the attacker-data → privileged-action exploit paths through an LLM/agent — the source→model→sink reachability and blast-radius audit that security-sweep's request→row model structurally can't see. Taints every untrusted ingress (RAG chunks, tool results, fetched pages, emails, parsed files, memory, peer-agent messages) through prompt assembly to every sink (tool dispatch, DB write, outbound send, render, exec), reports ONLY paths where a trust boundary is provably absent, and proves each with a live behavioral oracle (canary crossed a boundary / forbidden tool fired). Use when "prompt injection audit", "agent security", "is my AI app safe", "LLM security", "tool-call authz", "exploit paths", lethal-trifecta / excessive- agency review, or when bug-zero / project-autopilot route the AI/agent-security class here (security-sweep owns the SaaS infra boundary; this owns the agent one).
View skillagentic-loops
Loops & automation
A library of 31 proven agentic loop patterns — build/verify/fix/repeat-until-a-bar workflows that run a task on a cadence or to a stopping condition. Use when the user wants to run something iteratively or on a schedule, "keep going until X", "run this in a loop", "do this every night / every 5 min", a self-improving eval, a maintenance sweep (docs/tests/logs/changelog/cleanup), a ticket-to-PR pipeline, an adversarial review loop, a champion/challenger optimization, or asks "what loop fits this". Also use to AUTHOR a new loop from the shared anatomy. Pull the right template, adapt the placeholders, wire it via /loop (interval/self-paced) or /schedule (cron cloud). NOT for one-off tasks with no repetition or stopping bar.
View skillaudit-lens
Code review & QA
Domain-parameterized codebase audit: assess a codebase through ONE chosen lens (API design, CLI ergonomics, data integrity, general code quality — or a broad multi-domain sweep) and return ranked, verified, located findings each with a concrete fix. For domains that have a dedicated specialist (security → security-sweep, performance → hotspot-scout, UX/a11y → ux-scan, bugs → bug-zero, copy/slop → unslop) it ROUTES instead of redoing the work. Use when "audit this", "assess the code quality", "review the API design", "CLI ergonomics pass", "data-model review", "pre-launch audit", "full audit across the board", or when project-autopilot / forge / ship-it dispatch "audit-lens (domain: X)".
View skillbeadsmith
Workflow & tooling
Plan-to-graph converter: take an EXISTING agreed plan (planning-workflow doc, advisor-council synthesis, hand-written markdown) and forge it into a clean, dependency-ordered br bead graph — every bead self-contained, every edge real, bv-clean, validated and polished in plan-space before any code is written. Use when "turn this plan into beads", "plan to beads", "beadify this", "create the task graph from the plan", "convert the markdown plan", or when kickstart / project-autopilot / ux-maximizer need their plan→tracked-work stage.
View skillbug-sweep
Code review & QA
Systematic audit→fix→rescan over a code surface to find MANY bugs, not one reproduced bug — walk the same surface through seven lenses (logic, boundaries, error handling, state/lifecycle, data integrity, concurrency-adjacent, API misuse), one lens per pass, dedupe the candidates, verify each is real before touching anything, fix the survivors no-slop under a green ratchet with a regression test each, then re-sweep until consecutive sweeps come up dry. Use when "sweep this for bugs", "find all the bugs in this module", "deep bug pass", "comb through this", "audit this surface for defects", or when bug-zero routes its systematic audit→fix→rescan class here.
View skillbug-zero
Code review & QA
Drive a codebase's bugs to zero, exhaustively, by orchestrating every bug-finding skill you own — then verifying each finding is real before fixing, fixing under a green ratchet with a regression test per fix, confirming the fix by running it, and rescanning until the sweeps come up dry. Use when "find and fix all the bugs", "harden this", "pre-release bug pass", "make this bulletproof", post-incident cleanup, or taming an inherited messy codebase.
View skilldeepen
Analysis & planning
Multi-pass engine: iteratively apply any named skill or slash command over a target with progressive deepening — each pass builds on the prior pass's log, every pass's findings get FIXED (under the green ratchet) before the next pass fires, and the loop stops on saturation, not at an arbitrary count or at zero. Use when "apply N times", "keep running it until it stops finding things", "multi-pass", "grind this skill over the project", "another pass", or when ux-maximizer / project-autopilot route counted refinement passes here.
View skilldesign-intel
UI / UX
Design intelligence for NEW UI surfaces: pick a named visual direction (style, palette, type pairing, layout system, component patterns, charts) and emit an actionable token-level design spec a builder can implement — taste as a system, not generic defaults. Use when "design this dashboard/page/screen", "what should this look like", "pick a palette", "choose the fonts", "design direction", "make it feel like Stripe/Linear", building a new surface from scratch, or when ux-maximizer / project-autopilot route design-intelligence passes here.
View skilldueling-idea-forge
Ideation
Multi-model adversarial ideation: two different-lineage models (Fable + Codex by default) each run idea-forge independently, then score each other's ideas 0–1000, see how they were scored, and fight it out — the orchestrator synthesizes consensus winners / contested / killed, and consensus winners become br beads via idea-forge. Use when "dueling ideas", "adversarial brainstorm", "cross-model idea duel", "have two models argue about what to build", or when single-model ideation keeps producing plausible ideas you don't quite trust.
View skillforge
Ideation
The one-handle lifecycle conductor: take a bare idea OR a project at any stage and carry it all the way to shipped, by detecting where it is and driving the right skill at the right time — kickstart (0→1) → project-autopilot (1→done, which itself routes to bug-zero/perf-max/ux-maximizer) → ship-it (out the door). Pauses at every judgment gate. Use when "take this idea all the way", "build and ship this", "run the whole lifecycle", or you don't want to think about which skill to reach for.
View skillhotspot-scout
Performance
Profile a system under its REAL workload and emit a SCORED, ranked hotspot list — hot paths by CPU, memory, I/O, and lock/contention, each with measured evidence (flamegraph / sampler / timing), p95/p99 where latency matters, and a headroom estimate. Measures and ranks; never optimizes. Use when "profile this", "why is it slow", "find the bottleneck", "where's the time going", "rank the hot paths", "flamegraph", "p95 is bad", or when perf-max / project-autopilot need their profiling stage.
View skillidea-forge
Ideation
Ideation engine: ground in the project's reality, diverge to ~30 candidate improvements, winnow ruthlessly to a ranked shortlist, then operationalize the winners into a self-documenting br bead graph — refined over multiple plan-space passes before a line of code is written. Use when "what should we build next", "brainstorm improvements", "ideation pass", "fill the backlog", "turn ideas into beads", or when forge/kickstart/project-autopilot need their ideation stage.
View skillkickstart
Shipping & release
Take a project from a general idea to a working, intent-aligned scaffold — by ideating the LEANEST elegant way to build it (not the most maximal), standing up a walking skeleton that runs end-to-end first, then filling out only what the intent needs via selective idea-wizarding of the forks that actually matter, and handing off to project-autopilot once a green baseline + bead backlog exist. Use when "start a new project", "build this from scratch", "greenfield", "scaffold this idea", "0 to 1".
View skilloptimize-proof
Performance
Execution half of the performance two-step: take a profiler-SCORED hotspot list and convert the top targets into measured, behavior-proven speedups — one target at a time, proof harness written before the optimization, before/after measured on the real workload, green ratchet on every change, algorithmic wins before micro-tuning, stop when the next hotspot isn't worth the complexity. Use when "optimize this hotspot", "grind the hotspot list", "make this faster without breaking it", or when perf-max / project-autopilot hand over "scored hotspot list ready to optimize".
View skillperf-max
Performance
Maximize a project's performance, exhaustively, by orchestrating profiling + optimization skills — always optimizing a profiler-scored hotspot (never by vibe), proving each change keeps behavior identical under a green ratchet, measuring the actual speedup, and re-profiling until the wins dry up. Use when "make it fast", "optimize this", "it's slow", "reduce latency/p95", "improve throughput", or a late-stage performance pass before shipping.
View skillpolish-pass
UI / UX
Iterative visual elevation of a UI that already works and looks decent — per pass, tighten the details that separate "fine" from "premium": spacing rhythm, type hierarchy, contrast and interaction states, elevation, radii, motion, empty/loading/error states, density. Elevates the EXISTING design language toward Stripe/Linear-level craft; never a redesign. Use when "polish pass", "visual elevation", "tighten the UI", "make it feel premium", "it works but looks fine, not great", "Stripe-level", or when ux-maximizer's cascade or project-autopilot's "works but needs visual elevation" route lands here.
View skillproject-autopilot
Shipping & release
Autonomous project-pushing loop: extract the project's stated intention, diagnose gaps through relevant expert lenses, route each gap to the best installed skill, and execute in small green-verified batches until the intent is satisfied — queuing anything that needs Matt's judgment into a decision inbox instead of guessing. Use when "push this project along", "autopilot this", "take this to done", "run off to the races", or unattended improvement of a project already in motion.
View skillreality-check
Analysis & planning
Hold a project's stated vision up against what's actually built and running, and report the gap without flattery: what works, what's claimed-but-broken, what's missing, what drifted — ending in an explicit SHIP-READY / NOT verdict. When a project has no intent doc at all, flips to INTENT EXTRACTION instead: reconstructs the project's goals from code, tests, beads, and commits into a confirmable intent statement. Use when "reality check", "where are we really", "does this actually work", "are we on track", "gap analysis", "what's missing", or when project-autopilot / ship-it / idea-forge need their assess, preflight, or intent-extraction step.
View skillsecurity-sweep
Code review & QA
Audit a SaaS app for the security classes that actually sink companies — payment/billing bypass, webhook integrity (signature + replay), auth gaps (authn/authz, session/JWT/cookie), row-level-security and multi-tenant data isolation, secrets exposure, and IDOR/broken access control — verifying each finding is real before reporting, ranking by blast radius, and shipping a concrete fix per finding. Use when "security audit", "billing security", "is this safe to ship", webhook/auth/RLS review, pre-launch hardening, or when bug-zero / ship-it / project-autopilot route the security class here.
View skillship-it
Shipping & release
Take a green project to a released, deployed artifact — by orchestrating the release skills you own to do ALL the reversible pre-flight perfectly (preflight gate, version bump, changelog, cross-platform build, checksums, installer verify, preview deploy, drafted release + store metadata) and then handing Matt the exact publish buttons. Use when "ship it", "cut a release", "prepare to launch", "tag a release", "deploy to production", "submit to the store", "publish".
View skillunslop
Writing & docs
Line-level copy editor that strips the tells of AI-generated writing — filler openers, hype adjectives, empty tricolons, hedges, em-dash rhythm, false balance, restating conclusions, emoji-bullet decoration — while a meaning guard keeps every claim, number, and instruction intact. Covers docs AND the product surface (buttons, toasts, errors, empty states, onboarding), and can edit toward a specific voice instead of generic-neutral. Use when "this reads like AI", "de-slop this", "fix this copy", "make this sound human", "clean up the UI text", or when ux-scan / ux-maximizer / project-autopilot surface AI-slop tells in docs or UI copy.
View skillux-maximizer
UI / UX
Exhaustively maximize a project's UI/UX to premium, "wow-factor" quality. A staged successive-prompter: idea-wizard for a premium vision → implement the top ideas → a cascade of UX audits, UI polishes, and design-intel passes → repeat until the passes stop finding material improvements. Use when "make this premium", "wow factor", "maximize the UI/UX", "design pass", "make it world-class", or elevating a functional-but-plain app into something that makes users go wow.
View skillux-scan
UI / UX
Systematic UX evaluation of a UI: Nielsen's 10 usability heuristics + accessibility (contrast, keyboard nav, focus order, ARIA, screen-reader labels, touch targets) + interaction/flow problems, emitted as a ranked list of located, fix-ready findings. Use when "review the UI", "is this usable", "usability check", "accessibility audit", "a11y pass", "find the UX problems", "heuristic evaluation", pre-launch UX review, or when ux-maximizer / deepen / project-autopilot need their UX-evaluation stage.
View skillInstall the whole pack
One download. 23 skills available in every Claude Code project. Read the catalog for free — buy once to install.
Get matt-skills — $79