Skip to content

Skills

Tierward ships 26 audit skills: executable multi-step programs that run inside Claude Code. Each skill is a structured workflow with model routing (Haiku for mechanical checks, Sonnet for analysis).

Skills are conditionally installed based on your project flags (hasApi, hasDatabase, hasFrontend, hasDesignSystem). Run npx tierward doctor to see which skills are installed and active.

Install individual skills

bash
npx tierward add skill security-audit
npx tierward add skill arch-audit

Universal skills (Tier S, M, L)

Available in all tiers above Discovery.

SkillPurpose
/arch-auditGovernance files vs Anthropic docs. Auto-fixes deprecations.
/security-auditAuth, input validation, RLS, CVE scan. 3-path: WEB / NATIVE / HYBRID. MCP-aware (v1.20+): queries mcp-nvd for live CVE data with local fallback.
/perf-auditBundle size, serial awaits, query efficiency. 8-stack patterns.
/skill-devCoupling, duplication, dead code, debt-density. Step 3b (v1.22+): hotspot priority via churn × debt; top-10 ranked by 4-quadrant matrix.
/simplifyEarly returns, nesting, dead code. Applies changes directly.
/commitConventional Commits: auto-detects type, scope, description.
/skill-securitySecurity scan for Claude Code skills using SkillSpector: prompt injection, data exfiltration, MCP tool poisoning, supply chain. 64-pattern scanner.
/systematic-debuggingRoot-cause investigation before any fix. STOP gate between hypothesis and fix: the hypothesis must be written and verified against evidence before touching code.

Team skills (Tier M, L)

Enabled when you upgrade to Tier M or above.

SkillPurpose
/api-designURL naming, HTTP verbs, response envelope, pagination.
/skill-dbSchema normalization, indexes, N+1 queries, RLS.
/migration-auditStack-aware migration safety: data loss, rollback, lock-heavy DDL. Prisma / Drizzle / Supabase / SQL.
/visual-auditTypography, spacing, hierarchy, dark mode, micro-polish.
/ux-auditISO 9241-11, Nielsen heuristics, user confidence.
/responsive-auditLayout at 320–1024px, tap targets, WCAG.
/ui-auditDesign token compliance, component adoption, empty states.
/accessibility-auditaxe-core WCAG 2.2, APCA contrast, static a11y (aria, tabindex, focus, labels).
/test-auditCoverage (lcov / Istanbul / Cobertura / go / tarpaulin / xcresult), pyramid shape, anti-patterns.
/doc-auditDoc drift: link resolution, code-block syntax, Tierward placeholder residuals, slash-command name match, ADR freshness.
/api-contract-auditOpenAPI contract drift, breaking-change detection, Richardson Maturity L0–L3 scoring. Auto-gen for FastAPI / NestJS / Express / Next.js / Django REST.
/infra-auditSecurity across GitHub Actions, Dockerfile, K8s, Terraform, GitLab CI. Stack-agnostic.
/compliance-auditGDPR profile: data-subject rights, consent, PII identification, encryption-at-rest, retention, sub-processors. SOC 2 / HIPAA scaffolded.
/dependency-auditOutdated package audit: Tier A (safe batch) / B (non-core major) / C (core/breaking-risk). MCP-aware (v1.20+): queries package-registry-mcp.
/pr-reviewAutonomous local PR review via gh CLI. Posts findings as PR comments. --deep escalates to Opus for sensitive changes.
/skill-reviewQuality review pipeline for skill portfolios. Spec compliance, cross-tier coherence, behavioral fixtures.
/dependency-scanPipeline-integrated (Phase 1): returns the full file list (routes, components, shared types, DB tables) fed into the Phase 1 STOP gate.

Tier L only

SkillPurpose
/context-reviewPipeline-integrated (Phase 8.5): recompacts CLAUDE.md and detects context drift after block closure.

Custom skills

Create project-specific skills that Tierward preserves across upgrade and init:

.claude/skills/custom-deploy/SKILL.md
.claude/skills/custom-db-seed/SKILL.md

The custom- prefix tells Tierward never to overwrite, prune, or modify the skill during any operation. See the Custom Skills Guide for the full frontmatter reference.

Released under the MIT License.