Claude Skills
Ship without surprises.
Your AI QA engineer that actually tests everything. Most QA tools give you a checklist and wish you luck. This one opens your app, clicks every button, queries your database, reads your source code, and writes a report your developer can act on - in a single pass.
What it does
Three audit layers. One pass.
Drop a test spec or just point it at your app. The skill runs three audit layers simultaneously.
Codebase
Greps your source for dead code, naming violations, security holes, and mismatched UI strings. If your spec says a toast should read "Invite sent to Sarah" and the code says "Invite sent to user", it catches that.
Browser
Opens your live app, navigates every screen, clicks buttons, opens menus, checks tooltips, triggers toasts, and inspects the DOM. Not screenshots-and-hope - actual element verification. Console errors after every single page load.
Database
Queries your schema to confirm columns exist, old ones are dropped, no orphaned records linger, and deprecated values are gone. The kind of checks that silently break production at 2am.
What makes it different
No "could not reproduce." Every check is PASS or FAIL.
It creates its own test data.
Need to verify an empty state message? It creates a dummy record, confirms the empty state shows correctly, deletes the record, and proves the deletion. No gaps. No "I couldn't test this because the data wasn't there."
It works where you work.
Runs in Claude Code with Playwright and your local dev server. Runs in Cowork with Claude in Chrome against your live site. Same skill, same thoroughness, different environment.
It tells your developer exactly what to fix.
Not "there's a bug in the toast system." Instead: deliverables-section.tsx:189 - change "Content generated" to "Content generated for ${name}." Copy, paste, done.
It thinks like a pentester.
Tries to access other clients' data by URL manipulation. Injects <script>alert(1)</script> into every text field. Checks if your service role key leaked to the client bundle. The security audit isn't a checkbox - it's an actual attack simulation.
How it works
One command. One report.
Give it a spec with acceptance criteria and it tests every single one. Or skip the spec entirely:
It falls back to a general audit: auth, security, console errors, empty states, data integrity, responsive layout, and code hygiene. Thirty-plus checks, zero configuration.
# Output
QA-AUDIT-REPORT-2026-04-05.md
# Executive summary, pass/fail table, P0/P1/P2 fixes, security audit, verdict
Built for a real stack
Next.js + Supabase + Vercel
Optimized for the stack that half the indie web runs on. It knows where your auth guards live, how Sonner's Toaster lazy-mounts, and that your Supabase service role key should never touch a client bundle.
Not on this stack? The codebase analysis, browser testing, and security audit still work. The DB queries just need a Supabase project connected.
Who it's for
Solo founders who ship fast and need a safety net. Small teams that can't afford a dedicated QA hire. Agencies that hand off to clients and need proof it works. Anyone who's ever pushed to production and immediately thought "wait, did I check - "
Yes. It checked.
Download skill (.zip)