Claude Code plugin. 39 expert-level skills for building, shipping, and scaling production software. 33 audit tools (security, pentest, code quality, bundle size, SEO + AI Readiness check) close the loop before deploy.
Built by Kaileskkhumar, solo founder of houseofmvps.com
1 dependency (htmlparser2) · 180 tests · Node.js ESM · MIT
# Claude Code plugin
claude plugin marketplace add Houseofmvps/ultraship
claude plugin install ultraship
# Or standalone via npx
npx ultraship ship .
npx ultraship seo .
npx ultraship security .flowchart LR
U["You type a<br/>slash command"] --> S["Skill<br/>(markdown instructions)"]
S --> A["Agent<br/>(dispatched worker)"]
S --> T["Tools<br/>(Node.js scripts)"]
A --> T
T --> O["JSON Results"]
O --> R["Scorecard / Report /<br/>Actionable Fixes"]
style U fill:#f59e0b,stroke:#d97706,color:#000
style S fill:#8b5cf6,stroke:#7c3aed,color:#fff
style A fill:#3b82f6,stroke:#2563eb,color:#fff
style T fill:#10b981,stroke:#059669,color:#000
style R fill:#ef4444,stroke:#dc2626,color:#fff
flowchart TD
subgraph Lifecycle["Full Lifecycle Coverage"]
direction LR
I["Idea<br/>/brainstorm"] --> B["Build<br/>/sprint"]
B --> AU["Audit<br/>/ship /seo /secure"]
AU --> D["Ship<br/>/deploy"]
D --> L["Launch<br/>/launch /compete"]
L --> G["Grow<br/>/grow /cost"]
G --> RE["Rescue<br/>/rescue /canary"]
end
style I fill:#8b5cf6,stroke:#7c3aed,color:#fff
style B fill:#3b82f6,stroke:#2563eb,color:#fff
style AU fill:#f59e0b,stroke:#d97706,color:#000
style D fill:#10b981,stroke:#059669,color:#000
style L fill:#06b6d4,stroke:#0891b2,color:#000
style G fill:#84cc16,stroke:#65a30d,color:#000
style RE fill:#ef4444,stroke:#dc2626,color:#fff
/ship runs 5 tools in parallel and outputs a scorecard:
flowchart LR
SHIP["/ship"] --> SEO["seo-scanner<br/>63 rules"]
SHIP --> SEC["secret-scanner<br/>+ npm audit"]
SHIP --> CODE["code-profiler<br/>N+1, leaks, ReDoS"]
SHIP --> BUNDLE["bundle-tracker<br/>JS/CSS/images"]
SHIP --> ENV["env-validator<br/>+ migration-checker"]
SEO --> SC["Scorecard<br/>READY TO SHIP"]
SEC --> SC
CODE --> SC
BUNDLE --> SC
ENV --> SC
style SHIP fill:#f59e0b,stroke:#d97706,color:#000
style SC fill:#10b981,stroke:#059669,color:#000
style SEO fill:#3b82f6,stroke:#2563eb,color:#fff
style SEC fill:#3b82f6,stroke:#2563eb,color:#fff
style CODE fill:#3b82f6,stroke:#2563eb,color:#fff
style BUNDLE fill:#3b82f6,stroke:#2563eb,color:#fff
style ENV fill:#3b82f6,stroke:#2563eb,color:#fff
+===========================================+
| U L T R A S H I P S C O R E |
+===========================================+
| SEO + AI Vis. 92/100 ############- |
| Security 95/100 ############- |
| Code Quality 88/100 ###########-- |
| Bundle Size 97/100 ############- |
+===========================================+
| OVERALL 90/100 |
| STATUS READY TO SHIP |
+===========================================+
Demo
Each tool is a standalone Node.js script (node tools/<name>.mjs). JSON output. Exit 0 always. No build step.
| Tool | What it checks |
|---|---|
seo-scanner |
63 rules: 39 SEO (meta tags, canonicals, headings, OG tags, structured data, sitemap, cross-page duplicate/orphan detection), 20 GEO (AI bot access in robots.txt, snippet restrictions, llms.txt, structured data for AI extraction), 4 AEO (FAQPage/HowTo/speakable schema) |
secret-scanner |
AWS keys, Stripe keys, JWT secrets, database URLs, private keys. Redacts values in output. |
code-profiler |
N+1 queries, sync I/O in handlers, unbounded queries, missing indexes, memory leaks, sequential awaits, ReDoS risk |
bundle-tracker |
JS/CSS/image sizes in build output. Detects heavy deps (moment→dayjs, lodash→native). History for before/after. Monorepo-aware. |
dep-doctor |
Unused dependencies via import graph analysis (not just grep). Dead wrapper files. Outdated packages. |
content-scorer |
Flesch-Kincaid readability, keyword density, thin content detection, GEO heading analysis |
lighthouse-runner |
Lighthouse via headless Chrome. Core Web Vitals, render-blocking resources, diagnostics. |
| Tool | What it checks |
|---|---|
health-check |
HTTP status, response time, SSL certificate (issuer, expiry), 6 security headers |
env-validator |
Compares .env.example against actual .env. Catches missing/empty/placeholder vars. |
migration-checker |
Pending DB migrations for Drizzle, Prisma, Knex |
og-validator |
Open Graph tags, image reachability, size validation |
redirect-checker |
Redirect chains, loops, mixed HTTP/HTTPS. Sitemap-based bulk check. |
api-smoke-test |
Hit API endpoints, check status codes, response times, CORS headers |
| Tool | What it creates |
|---|---|
sitemap-generator |
sitemap.xml from HTML files and routes |
robots-generator |
AI-friendly robots.txt (allows GPTBot, PerplexityBot, ClaudeBot) |
llms-txt-generator |
llms.txt for AI assistant discoverability |
structured-data-generator |
JSON-LD schema markup |
| Tool | What it does |
|---|---|
compete-analyzer |
Compares two URLs: tech stack, SEO score, security headers, response time. ASCII comparison card. |
launch-prep |
Reads project, generates PH/Twitter/LinkedIn/HN copy, 14-item checklist, press kit |
demo-prep |
Finds console.logs, TODOs, placeholder text, missing favicons. Scores demo readiness. |
| Tool | What it does |
|---|---|
incident-commander |
Health check + git culprit analysis + error patterns + rollback commands + post-mortem template |
growth-tracker |
Uptime, git velocity, SEO trajectory, dep health. Stores snapshots for week-over-week comparison. |
cost-tracker |
Log AI token usage per feature/model. Built-in pricing for Claude, GPT-4o, Gemini. Daily trends. |
pentest-scanner |
Automated penetration testing: XSS, SQLi, SSTI, command injection, path traversal, CORS, JWT, GraphQL introspection, prototype pollution, race conditions, request smuggling. Zero false positives, every finding has proof-of-concept. |
canary-monitor |
Post-deploy canary monitoring: HTTP status, response time, error patterns, baseline regression detection. Auto-saves baselines for future comparison. |
retro-analyzer |
Sprint retrospective: git velocity, commit patterns (features vs fixes), test health, hot files, shipping cadence. Generates insights and recommendations. |
learnings-manager |
Project learnings CRUD: save, search, list, prune, export. Structured knowledge that compounds across sessions. |
| Tool | What it does |
|---|---|
onboard-generator |
Auto-generates developer guide: stack, directory tree, routes, schema, env vars, Mermaid diagram |
architecture-mapper |
4 Mermaid diagrams: system overview, route tree, DB ER, data flow. Circular dependency + orphan detection. |
pattern-analyzer |
Analyzes testing, error handling, TypeScript usage, CI/CD, git practices. Cross-repo comparison. |
audit-history |
Saves/compares audit scores over time |
| Tool | What it does |
|---|---|
gsc-client |
Google Search Console: submit sitemaps, inspect URLs, query rankings (requires ULTRASHIP_GSC_CREDENTIALS) |
bing-webmaster |
Bing Webmaster: submit sitemaps/URLs, IndexNow instant push, keyword research, backlinks, site-scan, URL inspection (requires ULTRASHIP_BING_KEY). Powers ChatGPT Search + Microsoft Copilot. |
ga4-client |
Google Analytics 4: overview, top-pages, landing-pages, traffic-sources, conversions, user-journey, devices, realtime, ai-traffic (ChatGPT/Perplexity/Copilot tracking), organic (search-only). --organic flag. |
keyword-intelligence |
12-command keyword engine: analyze, quick-wins, cannibalization, content-gaps, intent-map, trending, high-intent, page-keywords, content-decay, difficulty, anomalies (CTR anomalies), cross-reference (GSC↔GA4). --brand flag for non-brand filtering. |
index-doctor |
Index diagnosis: inspect URLs via GSC URL Inspection API, diagnose 15+ coverage states, auto-fix and submit to Bing. |
Slash commands available inside Claude Code after installing the plugin:
| Command | Description |
|---|---|
/sprint |
Sprint workflow. Structured pipeline from plan → build → test → review → ship → verify |
/investigate |
Root cause investigation. Structured debugging with module freeze, no fixes without evidence |
/learn |
Project learnings. Save, search, prune, export knowledge that compounds across sessions |
/guard |
Safety guardrails. Blocks destructive commands, optionally restricts edits to a directory |
/retro |
Sprint retrospective. Git velocity, commit patterns, test health, shipping cadence |
/canary |
Post-deploy canary. Verify production health, detect regressions after deployment |
/pentest |
Penetration testing. Hack-test your app (web, API, browser, GitHub, local code) |
/ship |
Pre-deploy scorecard. Runs 5 tools, scores 4 categories |
/seo |
SEO audit (63 rules) + AI visibility checks (bot access, snippet restrictions, schema) |
/secure |
Secret scanning + OWASP patterns + npm audit |
/perf |
Lighthouse + bundle size |
/deploy |
Env check → migration check → build → deploy → health check |
/review |
Code review with confidence-scored findings |
/health |
Production health check |
/compete |
Compare your site vs a competitor |
/launch |
Generate launch copy + checklist + press kit |
/rescue |
Incident diagnostics + rollback commands |
/grow |
Growth metrics over time |
/cost |
AI build cost tracking |
/onboard |
Generate developer onboarding guide |
/architecture |
Generate Mermaid architecture diagrams |
/clone-patterns |
Analyze any repo's patterns, compare to yours |
/demo |
Find dev artifacts, score demo readiness |
/visual-diff |
Before/after screenshot comparison (via Playwright MCP) |
/content |
Readability + keyword density analysis |
/bundle |
Bundle size tracking |
/profile |
Static analysis for backend anti-patterns |
/deps |
Unused/outdated dependency detection |
/redirects |
Redirect chain/loop detection |
/release |
Changelog + version bump + GitHub release + npm publish |
/revise-claude-md |
Update CLAUDE.md with session learnings |
/brainstorm |
Structured ideation → spec document |
/write-plan |
Implementation plan from spec |
/execute-plan |
Execute plan step by step |
Skills are markdown instruction files that shape Claude's behavior during your session. They activate based on context. When you're debugging, Claude uses the debugging skill. When you're building UI, it uses the frontend design skill.
Workflow (19): brainstorming, planning, TDD, implementation, code review, debugging, refactoring, frontend design, API design, data modeling, git workflow, deploy pipeline, release, CLAUDE.md management, verification, browser testing, sprint pipeline, investigation, learnings management
Specialist (8): SEO + AI visibility audit, security audit, penetration testing, performance audit, content quality, code profiling, parallel agent dispatching, safety guardrails
Growth & Intelligence (12): competitive analysis, launch prep, incident response, growth tracking, cost tracking, onboarding, architecture mapping, pattern analysis, demo readiness, visual regression, canary monitoring, sprint retrospective
Agents are dispatched by skills to run audits in parallel:
code-reviewer · seo-auditor · security-auditor · pentest-auditor · perf-auditor · browser-verifier · compete-analyzer · launch-auditor · incident-responder · growth-tracker · canary-monitor
| Server | Purpose |
|---|---|
| Context7 | Live library documentation. Fetches current docs for any framework/library. |
| Playwright | Browser automation. Navigate, screenshot, fill forms, test deployed pages. |
Both lazy-start on first use. No background processes.
Ultraship skills chain into a structured sprint pipeline. Each phase produces artifacts that feed the next.
flowchart LR
P["/write-plan<br/>Plan"] --> B["/execute-plan<br/>Build"]
B --> T["TDD<br/>Test"]
T --> R["/review + /secure<br/>Review"]
R --> S["/ship + /deploy<br/>Ship"]
S --> V["/canary<br/>Verify"]
V --> RE["/retro + /learn<br/>Reflect"]
style P fill:#8b5cf6,stroke:#7c3aed,color:#fff
style B fill:#3b82f6,stroke:#2563eb,color:#fff
style T fill:#06b6d4,stroke:#0891b2,color:#000
style R fill:#f59e0b,stroke:#d97706,color:#000
style S fill:#10b981,stroke:#059669,color:#000
style V fill:#84cc16,stroke:#65a30d,color:#000
style RE fill:#ec4899,stroke:#db2777,color:#fff
| Phase | Skill | Output |
|---|---|---|
| Plan | /write-plan |
Implementation plan with file map and test strategy |
| Build | /execute-plan |
Working code on a feature branch |
| Test | TDD skill | Passing test suite |
| Review | /review + /secure |
Review report, security scan |
| Ship | /ship + /deploy |
Scorecard + production deploy |
| Verify | /canary |
Post-deploy health verification |
| Reflect | /retro + /learn |
Retrospective + saved learnings |
Run /sprint to follow the full pipeline, or run individual phases as needed.
/guard activates PreToolUse hooks that block destructive commands before they execute:
flowchart LR
CMD["Claude runs<br/>a command"] --> HOOK["PreToolUse<br/>Hook"]
HOOK --> CHECK{"Destructive?"}
CHECK -->|"rm -rf, DROP TABLE,<br/>git push --force,<br/>kubectl delete..."| BLOCK["BLOCKED"]
CHECK -->|Safe| ALLOW["Allowed"]
style HOOK fill:#f59e0b,stroke:#d97706,color:#000
style BLOCK fill:#ef4444,stroke:#dc2626,color:#fff
style ALLOW fill:#10b981,stroke:#059669,color:#000
rm -rf,DROP TABLE,TRUNCATE(data destruction)git push --force,git reset --hard(git history destruction)git clean -f,git checkout .(working directory destruction)kubectl delete,docker system prune(infrastructure destruction)
Optional directory freeze restricts all file edits to a specific path. Explicitly confirmed actions always proceed.
Ultraship enforces a memory-first rule at session start. The SessionStart hook detects if you have a MEMORY.md file and instructs Claude to read it before performing any task. Context persists across sessions. No more repeating yourself about project state, deploy status, or decisions already made.
- If
MEMORY.mdis found: Claude reads memory files before doing anything - If not found: Claude suggests setting up auto-memory for persistent context
No configuration needed. Just install the plugin.
flowchart TD
subgraph Data["Data Sources (optional API keys)"]
GSC["Google Search Console<br/>Index status, rankings"]
GA4["Google Analytics 4<br/>Traffic, AI referrals"]
BING["Bing Webmaster<br/>Crawl, IndexNow, backlinks"]
end
subgraph Analysis["Intelligence Layer"]
KW["keyword-intelligence<br/>12 commands"]
IDX["index-doctor<br/>Diagnose + fix"]
SCAN["seo-scanner<br/>63 rules"]
end
subgraph Output["Outputs"]
STR["/seo-strategy<br/>90-day ranking plan"]
FIX["/index-fix<br/>Auto-submit fixes"]
SCORE["/seo<br/>SEO + GEO + AEO score"]
end
GSC --> KW
GSC --> IDX
GA4 --> KW
BING --> IDX
SCAN --> SCORE
KW --> STR
IDX --> FIX
style GSC fill:#4285f4,stroke:#3367d6,color:#fff
style GA4 fill:#e37400,stroke:#c56200,color:#fff
style BING fill:#00809d,stroke:#006680,color:#fff
style KW fill:#8b5cf6,stroke:#7c3aed,color:#fff
style IDX fill:#8b5cf6,stroke:#7c3aed,color:#fff
style SCAN fill:#8b5cf6,stroke:#7c3aed,color:#fff
style STR fill:#10b981,stroke:#059669,color:#000
style FIX fill:#10b981,stroke:#059669,color:#000
style SCORE fill:#10b981,stroke:#059669,color:#000
The SEO scanner checks 63 rules across three layers:
- SEO (39 rules): meta tags, canonicals, heading hierarchy, alt text, OG tags, sitemap, robots.txt, structured data, analytics detection, cross-page duplicate titles/descriptions, orphan page detection, canonical conflicts, thin content, internal linking
- GEO (20 rules): AI search visibility signals. Does
robots.txtblock GPTBot/PerplexityBot/ClaudeBot? Donosnippet/max-snippetdirectives restrict AI citation eligibility? Is therellms.txtfor AI discovery? Does structured data exist for AI extraction? These are verifiable technical signals, not ranking factor guesses. - AEO (4 rules): answer engine schema checks. FAQPage, HowTo, speakable, Article/BlogPosting. These are the structured data types that enable featured snippets and voice results. We check presence, not SERP performance.
Beyond the scanner, Ultraship connects to real APIs: GSC URL Inspection (actual index status), GA4 (actual AI referral traffic from ChatGPT/Perplexity/Copilot), Bing Webmaster (crawl status, IndexNow). Data-driven analysis, not estimates.
/ship results on SaveMRR (Hono + React + Drizzle pnpm monorepo, 5 packages, 41 routes):
| Backend + Dashboard | Landing (29 pages) | |
|---|---|---|
| SEO + AI Visibility | 63 | 52 |
| Security | 100 | 100 |
| Code Quality | 70 | 67 |
| Bundle Size | 100 | 92 |
| Overall | 83 | 78 |
227 findings: 1 N+1 query, 33 unused deps (dead shadcn/ui wrappers via import graph), 153 SEO issues, 1 memory leak, 1 heavy dep.
All tools use execFileSync with array args (no shell interpolation). HTTP tools import tools/lib/security.mjs for SSRF protection (blocks private IPs, cloud metadata, non-HTTP schemes). 10MB file read cap. 5MB response cap. Secret values redacted in output. Zero telemetry.
See SECURITY.md.
flowchart TD
subgraph Plugin["ultraship plugin"]
MANIFEST[".claude-plugin/<br/>plugin.json"]
HOOKS["hooks/<br/>SessionStart + Guard"]
subgraph Core["Core Loop"]
SKILLS["skills/<br/>42 markdown files"]
AGENTS["agents/<br/>12 agent definitions"]
COMMANDS["commands/<br/>36 slash commands"]
end
subgraph Runtime["Runtime"]
TOOLS["tools/<br/>36 Node.js ESM scripts"]
LIB["tools/lib/<br/>security.mjs, monorepo.mjs"]
end
end
subgraph External["External (optional)"]
MCP1["Context7 MCP<br/>Live docs"]
MCP2["Playwright MCP<br/>Browser automation"]
GSC2["GSC / GA4 / Bing<br/>APIs"]
end
COMMANDS --> SKILLS
SKILLS --> AGENTS
SKILLS --> TOOLS
AGENTS --> TOOLS
TOOLS --> LIB
TOOLS --> GSC2
SKILLS --> MCP1
SKILLS --> MCP2
style MANIFEST fill:#6b7280,stroke:#4b5563,color:#fff
style HOOKS fill:#f59e0b,stroke:#d97706,color:#000
style SKILLS fill:#8b5cf6,stroke:#7c3aed,color:#fff
style AGENTS fill:#3b82f6,stroke:#2563eb,color:#fff
style COMMANDS fill:#06b6d4,stroke:#0891b2,color:#000
style TOOLS fill:#10b981,stroke:#059669,color:#000
style LIB fill:#059669,stroke:#047857,color:#fff
style MCP1 fill:#6b7280,stroke:#4b5563,color:#fff
style MCP2 fill:#6b7280,stroke:#4b5563,color:#fff
style GSC2 fill:#6b7280,stroke:#4b5563,color:#fff
- Node.js ESM (
type: module) - 1 dependency:
htmlparser2(SAX HTML parser, ~30KB) - Tools output JSON to stdout, exit 0 on success and failure (errors in JSON)
- Skills reference tools via
${CLAUDE_PLUGIN_ROOT}/tools/<name>.mjs - No build step. No native bindings. No
node-gyp.
git clone https://github.com/Houseofmvps/ultraship.git
cd ultraship
npm test # 180 tests, node:test
node tools/<tool>.mjs # Run any tool directlyOpen an issue or submit a PR.
MIT