
Hey guys, Mr. Technology here. After my hundredth time pasting "review this diff for race conditions, security smells, and missing tests" into Claude Code, I made a .claude/commands/ folder and never looked back.
Claude Code loads slash commands from .claude/commands/<name>.md. The filename becomes the command. The file body becomes the prompt. Frontmatter configures the model and the tool allowlist. That is the entire architecture.
.claude/commands/ ├── review-pr.md # /review-pr ├── commit.md # /commit └── security-check.md # /security-check
One folder, three files, zero Python, zero MCP server.
/review-pr--- description: Review the current diff like a senior engineer model: claude-sonnet-4-5 allowed-tools: Read, Grep, Bash(git diff*) --- You are reviewing a pull request. Be terse. 1. Read the staged and unstaged diff with `git diff HEAD`. 2. Flag race conditions, missing error handling, and any secret-looking string. 3. Output as a numbered list of **risks**, then a single **ship/no-ship** verdict on the last line. Do not write code. Do not edit files.
Type /review-pr. Claude Code reads the diff, fires the prompt, and you get something like:
1. Hardcoded DB password in src/db/seed.ts:14 2. Missing await on line 42 of the webhook handler 3. Race in cache invalidation between workers 2 and 3 ship/no-ship: NO
/security-check <path> with ArgumentsAnything after the command name becomes $ARGUMENTS. Use it.
---
description: Hunt for secret leaks and unsafe patterns in a path
model: claude-sonnet-4-5
allowed-tools: Read, Grep
---
Scan $ARGUMENTS for:
- API keys, tokens, or passwords in source (regex: `(?i)(api[_-]?key|secret|token).*['"][a-zA-Z0-9]{20,}`)
- `eval`, `exec`, or `subprocess` calls with untrusted input
- Hardcoded URLs pointing to internal staging
For each hit, print `file:line`, the matched line, and a one-line fix. End with a count./security-check src/payments/ returns a grep-grade audit in four seconds. Same prompt, every project, no copy-paste.
CLAUDE.md runs on every message. Slash commands run on demand. The split keeps your always-on context small (cheap, fast) and lets you ship heavyweight prompts only when you actually want them. A 2,000-token CLAUDE.md plus twelve 200-token commands is much cheaper than one 4,000-token always-on system prompt.
review pr.md becomes /review pr and the shell splits on the space. Kebab-case or you suffer.model: not "model":. Quotes are usually optional.allowed-tools is an allowlist, not a blocklist.** Omit it and Claude Code defaults to every tool, which is fine on your laptop and terrifying in CI. Always scope.~/.claude/commands/ instead of .claude/commands/ for ones you want in every repo. Same format, same frontmatter./review pr-strict will not pull in /review-pr. Compose prompts inside a single file instead.Fifteen minutes to set up, saves me about thirty minutes a day. The /review-pr, /commit, and /security-check trio covers 80 percent of what I actually do in Claude Code. Add yours. Iterate. Treat your commands folder like a real toolchain, not a scratchpad.
What do you think? Drop your thoughts in the comments below!