In my first article, I built SKILLmama: an AI skill that finds, scores, and ranks the best library for your exact stack.
In my second article, I added a security gate — because a high score means nothing if the tool is dangerous.
Both of those workflows had the same assumption baked in: you already know what you're looking for.
You type /skillmama find me a job queue for Node.js and it searches, scores, and returns ranked picks. That's great when you have a specific gap in mind.
But most of the time, you don't. You're deep in building something and you haven't stopped to ask: do I have auth? do I have observability? do I have a queue? You find out the hard way — when a feature ships without rate limiting, or when something breaks and there's no error tracking.
So I flipped the workflow. In v1.3, /skillmama with no arguments scans your project first and asks what to find.
The Old Flow vs. The New Flow
Before (Flow A — still exists):
/skillmama find me an auth library for Next.js
↓
scan project for stack context
↓
search → score → recommend
Now (Flow B — triggered when no capability is given):
/skillmama
↓
deep scan: reads package files, config, source structure
↓
gap analysis: what's missing for this type of project?
↓
ask 3 questions — STOP and wait for your answer
↓
you pick a gap → search → score → recommend
Both flows converge at the same search and scoring pipeline. Flow B just adds the scan and Q&A in front.
What the Scan Actually Does
When you run /skillmama with no arguments, it reads:
- Package files (
package.json,pyproject.toml,go.mod, etc.) - Config and infra (
Dockerfile,docker-compose.yml,.env.example,vercel.json,fly.toml) -
README.mdandCLAUDE.md - Source file structure (file listing, not full reads)
- 2–4 representative source files — the entry point, a route handler, a model
From that, it builds a Stack Profile:
Language: TypeScript
Framework: Next.js 14
Database: Postgres via Prisma
Auth: none detected
Caching: none detected
AI/LLM: OpenAI SDK
Queue/Jobs: none detected
Search: none detected
Storage: none detected
Email: none detected
Payments: none detected
Observability: none detected
Testing: Vitest
Gap Analysis: Not Everything Missing Is a Problem
Once the Stack Profile is built, SKILLmama doesn't just flag every empty row as a gap. It looks at what the project is actually doing and assigns severity:
- High — typical for this type of app, likely needed soon
- Medium — useful but not urgent
- Low — speculative / nice-to-have
For a Next.js app with OpenAI already wired up, the output might look like this:
## SKILLmama — Project Scan
Stack detected: TypeScript / Next.js 14 / Postgres / OpenAI / no auth
Capability gaps found:
| # | Gap | Severity | Why it matters for your stack |
|---|------------------|----------|------------------------------------------------------------|
| 1 | Authentication | High | No auth detected — any route is publicly accessible |
| 2 | Rate limiting | High | OpenAI calls with no rate limiting = unbounded cost risk |
| 3 | Observability | Medium | No error tracking — you'll find out about failures late |
| 4 | Email sending | Medium | Common for Next.js apps with user accounts |
| 5 | Vector/RAG layer | Low | OpenAI is present but no vector store — may be intentional |
A few quick questions before I search:
1. Which gap(s) would you like me to find options for?
2. Any constraints? (self-hosted, open-source, must have MCP support, etc.)
3. Anything I missed about your project or plans?
Then it stops. It does not proceed until you reply.
Why the Hard Stop Matters
The first version of this flow I sketched out just picked the highest-severity gap automatically and ran with it. That was wrong for two reasons:
1. Severity is relative to intent. A High gap for a consumer SaaS is a Low gap for an internal tool. The scanner doesn't know which one you're building — you do.
2. You might want to address multiple gaps in order. If you reply "1 and 2", SKILLmama runs the full search and scoring pipeline once per gap and presents each as its own results block. You get ranked picks for auth and rate limiting in one session, not just the first one.
The hard stop is what makes Flow B collaborative rather than presumptuous.
After You Answer
Once you reply — say "1 and 3, open-source preferred" — SKILLmama sets:
-
capability= Authentication, Observability -
constraints= open-source preferred
And jumps straight to Phase 2 (deriving search terms). It skips Phase 0 and Phase 1 entirely — the stack is already known from the scan, so there's nothing left to parse.
From there, the same pipeline runs as always:
Phase 2 — derive search terms
Phase 3 — 5-tier search (GitHub → MCP → npm/PyPI → Templates)
Phase 3.5 — security gate (libraries)
Phase 3.6 — companion skills search
Phase 3.7 — security gate (skills)
Phase 4 — score each candidate
Phase 5 — present results
For the auth gap on a Next.js + Postgres stack, that produces something like:
Scoring all candidates against TypeScript / Next.js 14 / Postgres:
| Candidate | Compat | Pop | Maint | Simple | Score |
|-------------|--------|-----|-------|--------|----------|
| NextAuth.js | 10 | 9 | 9 | 9 | **9.55** |
| Lucia | 9 | 7 | 10 | 8 | **8.75** |
| Clerk | 8 | 8 | 10 | 10 | **8.90** |
#1 — NextAuth.js · Score: 9.55/10
The de facto auth layer for Next.js — first-party adapter, zero config for most providers.
- Compatibility: 10/10 — built for Next.js, Prisma adapter available
- Popularity: 9/10 — 22k stars, 800k npm downloads/week
- Maintenance: 9/10 — committed 1 week ago
- Simplicity: 9/10 — provider config only, Prisma adapter is one import
- Security: PASS
- Install: npm install next-auth
What Changed in the Adapters
Flow B is live across all four adapters:
| Adapter | How to trigger Flow B |
|---|---|
| Claude Code |
/skillmama (no args) |
| Claude.ai |
/skillmama (no args) |
| OpenAI Codex | "scan my project and tell me what I need" |
| Antigravity | "scan my project and tell me what I need" |
Install
Any agent (via skills CLI):
npx skills add Magithar/SKILLmama
Claude Code:
cp .claude/commands/skillmama.md /your-project/.claude/commands/skillmama.md
Then /skillmama in any Claude Code session — no arguments needed.
Claude.ai: Upload the pre-built skillmama.zip from the repo under Customize → Skills.
OpenAI Codex: Place codex/AGENTS.md in your repo root.
Antigravity: Load antigravity/PROMPT.md as system prompt.
The Repo
Apache 2.0. If you used v1.0, v1.1, or v1.2 — pull the latest. The only new behavior is what happens when you run /skillmama with nothing after it.
Found a gap category that should be in the scanner? Open an issue — the list is meant to grow with real project types.
Top comments (1)
Having the AI ask first is underrated because it changes the contract from answer-generation to ambiguity-reduction. The best agents I have used spend a little time shrinking the unknowns before they touch code.