Claude Code lets you define custom slash commands — type /debug, /code-review, or /plan and Claude runs a predefined workflow. Anthropic has merged the earlier .claude/commands/ flat-file format and the newer .claude/skills/ directory format into one system, so a slash command is a skill. You define the workflow once, install it, and reuse it across every project.
Custom commands and skills are now the same feature. A file at .claude/commands/deploy.md and a directory at .claude/skills/deploy/SKILL.md both register /deploy and behave identically. Your existing .claude/commands/ files keep working. The skill directory form adds optional features (supporting files, per-skill tool permissions, automatic invocation by Claude) and is the recommended format for anything non-trivial.
Claude Code checks four scopes, higher-priority scopes winning when names overlap:
~/.claude/skills/<name>/SKILL.md or the legacy ~/.claude/commands/<name>.md, available in every project. Anthropic's docs call this scope "Personal"; older guides may call it "User" — they refer to the same location..claude/skills/<name>/SKILL.md or .claude/commands/<name>.md inside the repo, committed with your team<plugin>/skills/<name>/SKILL.md, namespaced as plugin-name:skill-name so plugin skills cannot collide with the restPrecedence runs enterprise > personal > project. If a skill and a legacy command share a name at the same scope, the skill wins. Adding, editing, or removing a skill inside a watched directory takes effect during the current session without restarting; creating a brand-new top-level skills directory requires a Claude Code restart so the filesystem watcher can pick it up.
The skill directory form is the recommended shape. Create the directory and a SKILL.md inside it — the directory name becomes the command:
mkdir -p ~/.claude/skills/code-review
$EDITOR ~/.claude/skills/code-review/SKILL.mdThen put this inside SKILL.md:
---
name: code-review
description: Review staged changes for security issues, bugs, and quality problems.
---
Review the current code changes for:
**Security (check first)**
- SQL injection, XSS, CSRF, path traversal
- Hardcoded secrets or API keys
- Improper input validation
**Correctness**
- Logic errors and edge cases not handled
- Null/undefined handling gaps
- Async misuse or race conditions
**Quality**
- Functions doing more than one thing
- Misleading variable or function names
Output format:
🔴 CRITICAL — [issue] at [file:line] — [fix]
🟡 WARNING — [issue] at [file:line] — [fix]
🔵 NOTE — [suggestion]
End with: APPROVE / APPROVE WITH FIXES / BLOCKNow type /code-review in any Claude Code session and Claude runs this exact workflow.
The directory name becomes the slash command for the skill format; the filename does the same job for the legacy .claude/commands/*.md form. A name: frontmatter field is optional — when present it overrides the directory or filename.
Before you write your own, check the bundled ones. Claude Code ships a set of bundled skills in every session — /debug, /simplify, /batch, /loop, and /claude-api among others. These behave like custom skills but are maintained by Anthropic. Type / in Claude Code to see what's already available before creating one with the same name, and see the commands reference for the full list.
All frontmatter is optional, but a good description: is what lets Claude decide to invoke a skill automatically when it matches your request. Fields worth knowing:
description: — one or two sentences covering what the skill does and when to use itwhen_to_use: — extra trigger phrases or example requests; appended to description in the skill listing so Claude matches the skill to your wordingdisable-model-invocation: true — only you can invoke; Claude never auto-triggers it (use for /deploy, /commit, anything with side effects)user-invocable: false — hide the skill from the / menu (useful for background knowledge like legacy-system-context). Menu visibility only — it does not block programmatic invocation via the Skill tool. To actually restrict Claude from loading a skill, use disable-model-invocation: true or a Skill(name) deny rule in your /permissions settings.allowed-tools: — list of tools (e.g. Bash(git commit *)) that don't need per-use approval while the skill is activeargument-hint: — hint shown during autocomplete (e.g. [issue-number])context: fork — run the skill inside a subagent with its own isolated contextagent: — which subagent type to use when context: fork is set (e.g. Explore, Plan, general-purpose, or a custom type from .claude/agents/)model: and effort: — override the session model and reasoning effort for this skill onlypaths: — glob patterns that auto-load the skill when you're working on matching filesThe allowed-tools list composes with your settings.json permissions: tools you pre-approve here are granted only while the skill is active. Everything else still goes through your active permission settings across all four scopes — managed, personal (~/.claude/settings.json), project (.claude/settings.json), and local (.claude/settings.local.json) — following Claude Code's precedence rules (managed wins, then CLI args, then local, then project, then personal).
If you prefer the shorter .claude/commands/<name>.md form, it still works and supports the same frontmatter fields — no directory or SKILL.md needed. Skills just give you a folder for supporting files and a few extra features.
Security audit + quality check before every commit. Outputs prioritized findings with severity ratings and specific fixes.
Scientific-method debugging: form hypothesis → identify evidence → propose targeted fix. Stops Claude from trying random solutions.
Forces Claude to produce a step-by-step implementation plan before writing any code. Essential for any change touching 3+ files.
Generates tests using Testing Trophy methodology — mostly integration tests, no implementation-detail assertions, real mocking strategy.
Cleans up code with zero behavior change. Explicit constraints prevent Claude from accidentally changing logic while "improving" code.
OWASP Top 10 audit of a specific endpoint or file — auth, data exposure, injection, business logic flaws.
Reviews what changed, classifies the commit type, writes a conventional commit message, and stages specific files (never git add -A blindly).
Explains code, errors, or architecture at the right depth — brief for simple questions, structured for complex systems.
Designs a full REST API contract (methods, paths, request/response schemas, error codes) before writing any implementation.
Pre-PR checklist covering code quality, tests, security, documentation, and scope. Pass/fail per item with explanations.
Vague instructions get vague results. If you want a bulleted list of findings with severity ratings, describe exactly that format in the skill body.
A /refactor skill that doesn't say "zero behavior change" will have Claude accidentally changing logic. Constraints are as important as instructions.
A /review-and-fix skill that both reviews and applies fixes is harder to control than /code-review followed by targeted edits. Single responsibility applies to skills too.
A slash command is a reusable workflow you invoke by typing a forward slash followed by its name. Anthropic merged slash commands and skills into a single system, so a file at .claude/commands/deploy.md and a directory at .claude/skills/deploy/SKILL.md both register /deploy and behave the same way. The skill directory form is recommended because it supports supporting files, per-skill tool permissions, and optional automatic invocation by Claude.
Claude Code looks in four scopes: enterprise-managed paths, personal-level at ~/.claude/skills/<name>/SKILL.md (also ~/.claude/commands/<name>.md for the legacy flat-file form), project-level at .claude/skills/<name>/SKILL.md inside the repo, and plugin-scoped paths. Enterprise beats personal beats project; plugin skills use a plugin-name:skill-name namespace so they cannot collide. If a skill and a legacy command share a name, the skill wins.
Yes — anything under ~/.claude/skills/ or ~/.claude/commands/ is available in every Claude Code session on your machine. Adding, editing, or removing a skill inside a watched directory takes effect live. Creating a new top-level skills directory that did not exist when the session started requires restarting Claude Code so the filesystem watcher can pick it up.
Clear instructions for the task, explicit constraints (what NOT to do), and a specified output format. Vague bodies produce vague output; specific bodies produce consistent, reusable workflows. For skills in the directory form, move long reference material into sibling files and link to them from SKILL.md so they load only when needed.
Yes. A slash command is just context for Claude. If your project has MCP servers connected or PostToolUse hooks configured, Claude uses them while executing the skill body. The skill frontmatter also supports an allowed-tools field so Claude can run specific tools (like Bash(git commit *)) without per-use approval when the skill is active.
The Claude Code Starter Kit includes all 10 slash command templates above, plus 5 CLAUDE.md project templates, a hooks cookbook, settings profiles, and 20 power prompts — free download.
Download free →Using GitHub Copilot? Copilot's closest equivalent to slash commands is reusable .prompt.md prompt files — see the Copilot Customization Starter Kit for 5 ready-made prompt files (code review, debug, refactor, write-tests, security-check).
Saved you time? Tip the maker in BTC — no account, no signup, just paste.
bc1qs04leape97ner4wqa98n94l9n0gv9aa84eg4ux
Hand-built single-file games, quizzes, and visualizers — no signup, no tracking, no cost.