← Back to Payloads
Tutorial2026-07-03

Stop Re-Typing Your Best Prompts: Custom Slash Commands in Claude Code in 30 Lines

Every Claude Code session I open starts with the same four prompts: review the diff, write a commit message, hunt for secrets, and explain the failing test. Custom slash commands turn those into single keystrokes. Here is the directory structure, two real command files, and the three gotchas that will save you an hour.
Quick Access
Install command
$ mrt install tutorial
Browse related skills
Stop Re-Typing Your Best Prompts: Custom Slash Commands in Claude Code in 30 Lines

Hey guys, Mr. Technology here. After my hundredth time pasting "review this diff for race conditions, security smells, and missing tests" into Claude Code, I made a .claude/commands/ folder and never looked back.

The Pattern

Claude Code loads slash commands from .claude/commands/<name>.md. The filename becomes the command. The file body becomes the prompt. Frontmatter configures the model and the tool allowlist. That is the entire architecture.

.claude/commands/
├── review-pr.md      # /review-pr
├── commit.md         # /commit
└── security-check.md # /security-check

One folder, three files, zero Python, zero MCP server.

Example 1: /review-pr

markdown
---
description: Review the current diff like a senior engineer
model: claude-sonnet-4-5
allowed-tools: Read, Grep, Bash(git diff*)
---
You are reviewing a pull request. Be terse.
1. Read the staged and unstaged diff with `git diff HEAD`.
2. Flag race conditions, missing error handling, and any secret-looking string.
3. Output as a numbered list of **risks**, then a single **ship/no-ship** verdict on the last line.
Do not write code. Do not edit files.

Type /review-pr. Claude Code reads the diff, fires the prompt, and you get something like:

1. Hardcoded DB password in src/db/seed.ts:14
2. Missing await on line 42 of the webhook handler
3. Race in cache invalidation between workers 2 and 3
ship/no-ship: NO

Example 2: /security-check <path> with Arguments

Anything after the command name becomes $ARGUMENTS. Use it.

markdown
---
description: Hunt for secret leaks and unsafe patterns in a path
model: claude-sonnet-4-5
allowed-tools: Read, Grep
---
Scan $ARGUMENTS for:
- API keys, tokens, or passwords in source (regex: `(?i)(api[_-]?key|secret|token).*['"][a-zA-Z0-9]{20,}`)
- `eval`, `exec`, or `subprocess` calls with untrusted input
- Hardcoded URLs pointing to internal staging
For each hit, print `file:line`, the matched line, and a one-line fix. End with a count.

/security-check src/payments/ returns a grep-grade audit in four seconds. Same prompt, every project, no copy-paste.

Why This Beats a Long CLAUDE.md

CLAUDE.md runs on every message. Slash commands run on demand. The split keeps your always-on context small (cheap, fast) and lets you ship heavyweight prompts only when you actually want them. A 2,000-token CLAUDE.md plus twelve 200-token commands is much cheaper than one 4,000-token always-on system prompt.

Gotchas

  • No spaces in filenames. review pr.md becomes /review pr and the shell splits on the space. Kebab-case or you suffer.
  • Frontmatter is YAML, not JSON. model: not "model":. Quotes are usually optional.
  • **allowed-tools is an allowlist, not a blocklist.** Omit it and Claude Code defaults to every tool, which is fine on your laptop and terrifying in CI. Always scope.
  • Project vs global scope. Drop commands in ~/.claude/commands/ instead of .claude/commands/ for ones you want in every repo. Same format, same frontmatter.
  • Commands do not nest. /review pr-strict will not pull in /review-pr. Compose prompts inside a single file instead.

Take

Fifteen minutes to set up, saves me about thirty minutes a day. The /review-pr, /commit, and /security-check trio covers 80 percent of what I actually do in Claude Code. Add yours. Iterate. Treat your commands folder like a real toolchain, not a scratchpad.

What do you think? Drop your thoughts in the comments below!

Related Dispatches