What Are Claude Code Custom Skills?
Claude Code supports custom skills — reusable command sets you define once and invoke with /command-name. They live in .claude/skills/ and are loaded automatically.
.claude/
└── skills/
├── code-review/
│ └── SKILL.md ← /code-review logic goes here
└── secret-scanner/
└── SKILL.md ← /secret-scanner logic goes here
Instead of typing the same 20-line prompt every time you want a code review, you write it once in SKILL.md and run /code-review src/api/ forever after.
Building a Code Review Skill from Scratch
SKILL.md Structure
# skill-name — one-line description
## Overview
What this skill does
## Trigger Conditions
When to call this skill
## Steps
1. Step 1
2. Step 2
## Output Format
What the output looks like
Example: /code-review Skill
Here's a complete 5-axis code review skill (design, readability, performance, security, testability):
.claude/skills/code-review/SKILL.md:
# code-review — 5-Axis Code Review Skill
## Overview
Review code across 5 axes: design, readability, performance, security, testability.
Output severity-classified findings with fix examples.
## Trigger Conditions
- User says "code review", "review this", "check my code"
- User explicitly calls /code-review
## Steps
### 1. Scope
Target: file path / directory / git diff. Default: current directory.
### 2. Five-Axis Check
#### Axis 1: Design (SRP, OCP, DI)
- Single Responsibility violations (class doing too much)
- Hardcoded dependencies (should use injection)
- Tight coupling between components
#### Axis 2: Readability
- Single-letter variables (a, b, tmp, x1)
- Functions over 50 lines
- Nesting deeper than 4 levels
- Magic numbers/strings
#### Axis 3: Performance
- N+1 query patterns (DB calls inside loops)
- Redundant computation inside loops
- Unnecessary full-table scans
- Memory leaks (unremoved event listeners)
#### Axis 4: Security (Quick Check)
- Missing input validation
- SQL injection via string concatenation
- Hardcoded credentials/API keys
#### Axis 5: Testability
- Global state dependencies
- Hard-to-mock external calls
- No clear dependency injection points
### 3. Output Format
## Code Review Report
Date: <datetime>
Scope: <target>
### Overall Score: <A/B/C/D/F>
| Axis | Grade | Issues |
|------|-------|--------|
| Design | B | 2 |
| Readability | C | 4 |
| Performance | A | 0 |
| Security | D | 1 |
| Testability | B | 1 |
---
### [CRITICAL] Axis 4 - Security: Hardcoded API Key
**File**: src/config.py:15
**Code**: API_KEY = "sk-ant-api03-xxxx"
**Risk**: Exposed in git history, immediately exploitable.
**Fix**: API_KEY = os.environ["ANTHROPIC_API_KEY"]
---
### [HIGH] Axis 3 - Performance: N+1 Query
**File**: src/users.py:42
**Code**: for user in users: db.query(f"WHERE id={user.id}")
**Fix**: SELECT u.*, p.* FROM users u LEFT JOIN posts p ON u.id=p.user_id
## Important Notes
- Read actual code with Read/Grep before reporting — no guessing
- Exclude test files and mock code from pattern matches
- Prioritize: CRITICAL (fix now) > HIGH (this week) > MEDIUM (next sprint) > LOW (refactor later)
Running It
/code-review src/api/
/code-review --diff # Review only git diff HEAD~1
Sample output:
## Code Review Report
Scope: src/api/users.py
### Overall Score: C
| Axis | Grade | Issues |
|------|-------|--------|
| Design | B | 1 |
| Readability | C | 3 |
| Performance | D | 1 |
| Security | A | 0 |
| Testability | B | 1 |
### [HIGH] Axis 3 - Performance: N+1 Query
File: src/api/users.py:45
...
Three Tips for Writing Effective Skills
1. Mandate Code Reading
## Important Notes
- Read actual code with Read/Grep tools before reporting
- No guessing. Only report what you confirmed in the file.
Without this, Claude may generate plausible-sounding but fabricated findings.
2. Define Output Format Precisely
Specify tables, code blocks, severity labels. The more specific the format, the more consistent the output.
3. List Multiple Trigger Conditions
## Trigger Conditions
- User says "security", "vulnerability", "audit"
- /security-audit explicitly called
- PR review requires security perspective
Natural language triggers mean users don't need to memorize commands.
A More Advanced Skill: /secret-scanner
Detects leaked API keys with false-positive filtering:
# secret-scanner — Secret Leakage Detection
## Steps
### 1. Pattern Scan
Search these patterns with Grep:
- AWS: AKIA[0-9A-Z]{16}
- GitHub: ghp_[a-zA-Z0-9]{36}
- Anthropic: sk-ant-api\d{2}-[a-zA-Z0-9_-]{86}
- Stripe: sk_(live|test)_[a-zA-Z0-9]{24}
- JWT: eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+
### 2. False Positive Filter
Exclude:
- Test files (*.test.*, spec*, fixture*)
- Comment lines (#, //)
- Placeholder strings (YOUR_KEY_HERE, REPLACE_ME, example)
### 3. Entropy Analysis
Calculate Shannon entropy of remaining candidates.
Low entropy (< 3.5 bit/char) = likely placeholder, exclude.
### 4. Output
Report CRITICAL findings with git history warning and env var migration steps.
Summary
Building Claude Code custom skills is simple:
- Create
.claude/skills/<skill-name>/SKILL.md - Write explicit step-by-step instructions
- Define exact output format with examples
- Add "read actual code" guardrails
Skills are reusable and shareable across projects. Build once, use everywhere.
I've packaged a Code Review Pack (3 skills: code-review, refactor-suggest, test-gen) and a Security Pack (3 skills: security-audit, secret-scanner, deps-check) for immediate use.
👉 Available at note.com/myougatheaxo
I've packaged these skills as Code Review Pack (¥980) and Security Pack (¥1,480).
👉 Check them out at note.com/myougatheaxo
Top comments (0)