"ULTRASHIP" Claude Code plugin — 39 skills, 33 tools, 11 agents for ship-ready workflows: planning, review, pentesting, safety guardrails, canary monitoring, SEO/AI-readiness check, penetration testing, code review, competitive analysis, incident response. 1 dependency. 180 tests. MIT.

Claude Code plugin. 39 expert-level skills for building, shipping, and scaling production software. 33 audit tools (security, pentest, code quality, bundle size, SEO + AI Readiness check) close the loop before deploy.

Built by Kaileskkhumar, founder of HouseofMVPs and Kailxlabs

1 dependency (htmlparser2) · 180 tests · Node.js ESM · MIT

Install

# Claude Code plugin
claude plugin marketplace add Houseofmvps/ultraship
claude plugin install ultraship

# Or standalone via npx
npx ultraship ship .
npx ultraship seo .
npx ultraship security .

How It Works

flowchart LR
    U["You type a<br/>slash command"] --> S["Skill<br/>(markdown instructions)"]
    S --> A["Agent<br/>(dispatched worker)"]
    S --> T["Tools<br/>(Node.js scripts)"]
    A --> T
    T --> O["JSON Results"]
    O --> R["Scorecard / Report /<br/>Actionable Fixes"]

    style U fill:#f59e0b,stroke:#d97706,color:#000
    style S fill:#8b5cf6,stroke:#7c3aed,color:#fff
    style A fill:#3b82f6,stroke:#2563eb,color:#fff
    style T fill:#10b981,stroke:#059669,color:#000
    style R fill:#ef4444,stroke:#dc2626,color:#fff

flowchart TD
    subgraph Lifecycle["Full Lifecycle Coverage"]
        direction LR
        I["Idea<br/>/brainstorm"] --> B["Build<br/>/sprint"]
        B --> AU["Audit<br/>/ship /seo /secure"]
        AU --> D["Ship<br/>/deploy"]
        D --> L["Launch<br/>/launch /compete"]
        L --> G["Grow<br/>/grow /cost"]
        G --> RE["Rescue<br/>/rescue /canary"]
    end

    style I fill:#8b5cf6,stroke:#7c3aed,color:#fff
    style B fill:#3b82f6,stroke:#2563eb,color:#fff
    style AU fill:#f59e0b,stroke:#d97706,color:#000
    style D fill:#10b981,stroke:#059669,color:#000
    style L fill:#06b6d4,stroke:#0891b2,color:#000
    style G fill:#84cc16,stroke:#65a30d,color:#000
    style RE fill:#ef4444,stroke:#dc2626,color:#fff

What `/ship` Does

/ship runs 5 tools in parallel and outputs a scorecard:

flowchart LR
    SHIP["/ship"] --> SEO["seo-scanner<br/>63 rules"]
    SHIP --> SEC["secret-scanner<br/>+ npm audit"]
    SHIP --> CODE["code-profiler<br/>N+1, leaks, ReDoS"]
    SHIP --> BUNDLE["bundle-tracker<br/>JS/CSS/images"]
    SHIP --> ENV["env-validator<br/>+ migration-checker"]

    SEO --> SC["Scorecard<br/>READY TO SHIP"]
    SEC --> SC
    CODE --> SC
    BUNDLE --> SC
    ENV --> SC

    style SHIP fill:#f59e0b,stroke:#d97706,color:#000
    style SC fill:#10b981,stroke:#059669,color:#000
    style SEO fill:#3b82f6,stroke:#2563eb,color:#fff
    style SEC fill:#3b82f6,stroke:#2563eb,color:#fff
    style CODE fill:#3b82f6,stroke:#2563eb,color:#fff
    style BUNDLE fill:#3b82f6,stroke:#2563eb,color:#fff
    style ENV fill:#3b82f6,stroke:#2563eb,color:#fff

+===========================================+
|      U L T R A S H I P   S C O R E       |
+===========================================+
|  SEO + AI Vis.  92/100  ############-    |
|  Security        95/100  ############-    |
|  Code Quality    88/100  ###########--    |
|  Bundle Size     97/100  ############-    |
+===========================================+
|   OVERALL         90/100                  |
|   STATUS          READY TO SHIP           |
+===========================================+

Demo

Ultraship — SEO audit, secret scanning, scorecard

Tools (36)

Each tool is a standalone Node.js script (node tools/<name>.mjs). JSON output. Exit 0 always. No build step.

Auditing

Tool	What it checks
`seo-scanner`	63 rules: 39 SEO (meta tags, canonicals, headings, OG tags, structured data, sitemap, cross-page duplicate/orphan detection), 20 GEO (AI bot access in robots.txt, snippet restrictions, llms.txt, structured data for AI extraction), 4 AEO (FAQPage/HowTo/speakable schema)
`secret-scanner`	AWS keys, Stripe keys, JWT secrets, database URLs, private keys. Redacts values in output.
`code-profiler`	N+1 queries, sync I/O in handlers, unbounded queries, missing indexes, memory leaks, sequential awaits, ReDoS risk
`bundle-tracker`	JS/CSS/image sizes in build output. Detects heavy deps (`moment`→`dayjs`, `lodash`→native). History for before/after. Monorepo-aware.
`dep-doctor`	Unused dependencies via import graph analysis (not just grep). Dead wrapper files. Outdated packages.
`content-scorer`	Flesch-Kincaid readability, keyword density, thin content detection, GEO heading analysis
`lighthouse-runner`	Lighthouse via headless Chrome. Core Web Vitals, render-blocking resources, diagnostics.

Validation

Tool	What it checks
`health-check`	HTTP status, response time, SSL certificate (issuer, expiry), 6 security headers
`env-validator`	Compares `.env.example` against actual `.env`. Catches missing/empty/placeholder vars.
`migration-checker`	Pending DB migrations for Drizzle, Prisma, Knex
`og-validator`	Open Graph tags, image reachability, size validation
`redirect-checker`	Redirect chains, loops, mixed HTTP/HTTPS. Sitemap-based bulk check.
`api-smoke-test`	Hit API endpoints, check status codes, response times, CORS headers

Generators

Tool	What it creates
`sitemap-generator`	`sitemap.xml` from HTML files and routes
`robots-generator`	AI-friendly `robots.txt` (allows GPTBot, PerplexityBot, ClaudeBot)
`llms-txt-generator`	`llms.txt` for AI assistant discoverability
`structured-data-generator`	JSON-LD schema markup

Competitive & Launch

Tool	What it does
`compete-analyzer`	Compares two URLs: tech stack, SEO score, security headers, response time. ASCII comparison card.
`launch-prep`	Reads project, generates PH/Twitter/LinkedIn/HN copy, 14-item checklist, press kit
`demo-prep`	Finds console.logs, TODOs, placeholder text, missing favicons. Scores demo readiness.

Operations

Tool	What it does
`incident-commander`	Health check + git culprit analysis + error patterns + rollback commands + post-mortem template
`growth-tracker`	Uptime, git velocity, SEO trajectory, dep health. Stores snapshots for week-over-week comparison.
`cost-tracker`	Log AI token usage per feature/model. Built-in pricing for Claude, GPT-4o, Gemini. Daily trends.
`pentest-scanner`	Automated penetration testing: XSS, SQLi, SSTI, command injection, path traversal, CORS, JWT, GraphQL introspection, prototype pollution, race conditions, request smuggling. Zero false positives, every finding has proof-of-concept.
`canary-monitor`	Post-deploy canary monitoring: HTTP status, response time, error patterns, baseline regression detection. Auto-saves baselines for future comparison.
`retro-analyzer`	Sprint retrospective: git velocity, commit patterns (features vs fixes), test health, hot files, shipping cadence. Generates insights and recommendations.
`learnings-manager`	Project learnings CRUD: save, search, list, prune, export. Structured knowledge that compounds across sessions.

Project Analysis

Tool	What it does
`onboard-generator`	Auto-generates developer guide: stack, directory tree, routes, schema, env vars, Mermaid diagram
`architecture-mapper`	4 Mermaid diagrams: system overview, route tree, DB ER, data flow. Circular dependency + orphan detection.
`pattern-analyzer`	Analyzes testing, error handling, TypeScript usage, CI/CD, git practices. Cross-repo comparison.
`audit-history`	Saves/compares audit scores over time

Integrations (optional)

Tool	What it does
`gsc-client`	Google Search Console: submit sitemaps, inspect URLs, query rankings (requires `ULTRASHIP_GSC_CREDENTIALS`)
`bing-webmaster`	Bing Webmaster: submit sitemaps/URLs, IndexNow instant push, keyword research, backlinks, site-scan, URL inspection (requires `ULTRASHIP_BING_KEY`). Powers ChatGPT Search + Microsoft Copilot.
`ga4-client`	Google Analytics 4: overview, top-pages, landing-pages, traffic-sources, conversions, user-journey, devices, realtime, ai-traffic (ChatGPT/Perplexity/Copilot tracking), organic (search-only). `--organic` flag.
`keyword-intelligence`	12-command keyword engine: analyze, quick-wins, cannibalization, content-gaps, intent-map, trending, high-intent, page-keywords, content-decay, difficulty, anomalies (CTR anomalies), cross-reference (GSC↔GA4). `--brand` flag for non-brand filtering.
`index-doctor`	Index diagnosis: inspect URLs via GSC URL Inspection API, diagnose 15+ coverage states, auto-fix and submit to Bing.

Commands (36)

Slash commands available inside Claude Code after installing the plugin:

Command	Description
`/sprint`	Sprint workflow. Structured pipeline from plan → build → test → review → ship → verify
`/investigate`	Root cause investigation. Structured debugging with module freeze, no fixes without evidence
`/learn`	Project learnings. Save, search, prune, export knowledge that compounds across sessions
`/guard`	Safety guardrails. Blocks destructive commands, optionally restricts edits to a directory
`/retro`	Sprint retrospective. Git velocity, commit patterns, test health, shipping cadence
`/canary`	Post-deploy canary. Verify production health, detect regressions after deployment
`/pentest`	Penetration testing. Hack-test your app (web, API, browser, GitHub, local code)
`/ship`	Pre-deploy scorecard. Runs 5 tools, scores 4 categories
`/seo`	SEO audit (63 rules) + AI visibility checks (bot access, snippet restrictions, schema)
`/secure`	Secret scanning + OWASP patterns + `npm audit`
`/perf`	Lighthouse + bundle size
`/deploy`	Env check → migration check → build → deploy → health check
`/review`	Code review with confidence-scored findings
`/health`	Production health check
`/compete`	Compare your site vs a competitor
`/launch`	Generate launch copy + checklist + press kit
`/rescue`	Incident diagnostics + rollback commands
`/grow`	Growth metrics over time
`/cost`	AI build cost tracking
`/onboard`	Generate developer onboarding guide
`/architecture`	Generate Mermaid architecture diagrams
`/clone-patterns`	Analyze any repo’s patterns, compare to yours
`/demo`	Find dev artifacts, score demo readiness
`/visual-diff`	Before/after screenshot comparison (via Playwright MCP)
`/content`	Readability + keyword density analysis
`/bundle`	Bundle size tracking
`/profile`	Static analysis for backend anti-patterns
`/deps`	Unused/outdated dependency detection
`/redirects`	Redirect chain/loop detection
`/release`	Changelog + version bump + GitHub release + npm publish
`/revise-claude-md`	Update CLAUDE.md with session learnings
`/brainstorm`	Structured ideation → spec document
`/write-plan`	Implementation plan from spec
`/execute-plan`	Execute plan step by step

Skills (39)

Skills are markdown instruction files that shape Claude’s behavior during your session. They activate based on context. When you’re debugging, Claude uses the debugging skill. When you’re building UI, it uses the frontend design skill.

Workflow (19): brainstorming, planning, TDD, implementation, code review, debugging, refactoring, frontend design, API design, data modeling, git workflow, deploy pipeline, release, CLAUDE.md management, verification, browser testing, sprint pipeline, investigation, learnings management

Specialist (8): SEO + AI visibility audit, security audit, penetration testing, performance audit, content quality, code profiling, parallel agent dispatching, safety guardrails

Growth & Intelligence (12): competitive analysis, launch prep, incident response, growth tracking, cost tracking, onboarding, architecture mapping, pattern analysis, demo readiness, visual regression, canary monitoring, sprint retrospective

Agents (11)

Agents are dispatched by skills to run audits in parallel:

code-reviewer · seo-auditor · security-auditor · pentest-auditor · perf-auditor · browser-verifier · compete-analyzer · launch-auditor · incident-responder · growth-tracker · canary-monitor

MCP Servers (2)

Server	Purpose
Context7	Live library documentation. Fetches current docs for any framework/library.
Playwright	Browser automation. Navigate, screenshot, fill forms, test deployed pages.

Both lazy-start on first use. No background processes.

Sprint Workflow

Ultraship skills chain into a structured sprint pipeline. Each phase produces artifacts that feed the next.

flowchart LR
    P["/write-plan<br/>Plan"] --> B["/execute-plan<br/>Build"]
    B --> T["TDD<br/>Test"]
    T --> R["/review + /secure<br/>Review"]
    R --> S["/ship + /deploy<br/>Ship"]
    S --> V["/canary<br/>Verify"]
    V --> RE["/retro + /learn<br/>Reflect"]

    style P fill:#8b5cf6,stroke:#7c3aed,color:#fff
    style B fill:#3b82f6,stroke:#2563eb,color:#fff
    style T fill:#06b6d4,stroke:#0891b2,color:#000
    style R fill:#f59e0b,stroke:#d97706,color:#000
    style S fill:#10b981,stroke:#059669,color:#000
    style V fill:#84cc16,stroke:#65a30d,color:#000
    style RE fill:#ec4899,stroke:#db2777,color:#fff

Phase	Skill	Output
Plan	`/write-plan`	Implementation plan with file map and test strategy
Build	`/execute-plan`	Working code on a feature branch
Test	TDD skill	Passing test suite
Review	`/review` + `/secure`	Review report, security scan
Ship	`/ship` + `/deploy`	Scorecard + production deploy
Verify	`/canary`	Post-deploy health verification
Reflect	`/retro` + `/learn`	Retrospective + saved learnings

Run /sprint to follow the full pipeline, or run individual phases as needed.

Safety Guardrails

/guard activates PreToolUse hooks that block destructive commands before they execute:

flowchart LR
    CMD["Claude runs<br/>a command"] --> HOOK["PreToolUse<br/>Hook"]
    HOOK --> CHECK{"Destructive?"}
    CHECK -->|"rm -rf, DROP TABLE,<br/>git push --force,<br/>kubectl delete..."| BLOCK["BLOCKED"]
    CHECK -->|Safe| ALLOW["Allowed"]

    style HOOK fill:#f59e0b,stroke:#d97706,color:#000
    style BLOCK fill:#ef4444,stroke:#dc2626,color:#fff
    style ALLOW fill:#10b981,stroke:#059669,color:#000

rm -rf, DROP TABLE, TRUNCATE (data destruction)
git push --force, git reset --hard (git history destruction)
git clean -f, git checkout . (working directory destruction)
kubectl delete, docker system prune (infrastructure destruction)

Optional directory freeze restricts all file edits to a specific path. Explicitly confirmed actions always proceed.

Persistent Memory

Ultraship enforces a memory-first rule at session start. The SessionStart hook detects if you have a MEMORY.md file and instructs Claude to read it before performing any task. Context persists across sessions. No more repeating yourself about project state, deploy status, or decisions already made.

If MEMORY.md is found: Claude reads memory files before doing anything
If not found: Claude suggests setting up auto-memory for persistent context

No configuration needed. Just install the plugin.

SEO + AI Visibility

flowchart TD
    subgraph Data["Data Sources (optional API keys)"]
        GSC["Google Search Console<br/>Index status, rankings"]
        GA4["Google Analytics 4<br/>Traffic, AI referrals"]
        BING["Bing Webmaster<br/>Crawl, IndexNow, backlinks"]
    end

    subgraph Analysis["Intelligence Layer"]
        KW["keyword-intelligence<br/>12 commands"]
        IDX["index-doctor<br/>Diagnose + fix"]
        SCAN["seo-scanner<br/>63 rules"]
    end

    subgraph Output["Outputs"]
        STR["/seo-strategy<br/>90-day ranking plan"]
        FIX["/index-fix<br/>Auto-submit fixes"]
        SCORE["/seo<br/>SEO + GEO + AEO score"]
    end

    GSC --> KW
    GSC --> IDX
    GA4 --> KW
    BING --> IDX
    SCAN --> SCORE
    KW --> STR
    IDX --> FIX

    style GSC fill:#4285f4,stroke:#3367d6,color:#fff
    style GA4 fill:#e37400,stroke:#c56200,color:#fff
    style BING fill:#00809d,stroke:#006680,color:#fff
    style KW fill:#8b5cf6,stroke:#7c3aed,color:#fff
    style IDX fill:#8b5cf6,stroke:#7c3aed,color:#fff
    style SCAN fill:#8b5cf6,stroke:#7c3aed,color:#fff
    style STR fill:#10b981,stroke:#059669,color:#000
    style FIX fill:#10b981,stroke:#059669,color:#000
    style SCORE fill:#10b981,stroke:#059669,color:#000

The SEO scanner checks 63 rules across three layers:

SEO (39 rules): meta tags, canonicals, heading hierarchy, alt text, OG tags, sitemap, robots.txt, structured data, analytics detection, cross-page duplicate titles/descriptions, orphan page detection, canonical conflicts, thin content, internal linking
GEO (20 rules): AI search visibility signals. Does robots.txt block GPTBot/PerplexityBot/ClaudeBot? Do nosnippet/max-snippet directives restrict AI citation eligibility? Is there llms.txt for AI discovery? Does structured data exist for AI extraction? These are verifiable technical signals, not ranking factor guesses.
AEO (4 rules): answer engine schema checks. FAQPage, HowTo, speakable, Article/BlogPosting. These are the structured data types that enable featured snippets and voice results. We check presence, not SERP performance.

Beyond the scanner, Ultraship connects to real APIs: GSC URL Inspection (actual index status), GA4 (actual AI referral traffic from ChatGPT/Perplexity/Copilot), Bing Webmaster (crawl status, IndexNow). Data-driven analysis, not estimates.

Dogfooding

/ship results on SaveMRR (Hono + React + Drizzle pnpm monorepo, 5 packages, 41 routes):

	Backend + Dashboard	Landing (29 pages)
SEO + AI Visibility	63	52
Security	100	100
Code Quality	70	67
Bundle Size	100	92
Overall	83	78

227 findings: 1 N+1 query, 33 unused deps (dead shadcn/ui wrappers via import graph), 153 SEO issues, 1 memory leak, 1 heavy dep.

Security

All tools use execFileSync with array args (no shell interpolation). HTTP tools import tools/lib/security.mjs for SSRF protection (blocks private IPs, cloud metadata, non-HTTP schemes). 10MB file read cap. 5MB response cap. Secret values redacted in output. Zero telemetry.

See SECURITY.md.

Architecture

flowchart TD
    subgraph Plugin["ultraship plugin"]
        MANIFEST[".claude-plugin/<br/>plugin.json"]
        HOOKS["hooks/<br/>SessionStart + Guard"]

        subgraph Core["Core Loop"]
            SKILLS["skills/<br/>42 markdown files"]
            AGENTS["agents/<br/>12 agent definitions"]
            COMMANDS["commands/<br/>36 slash commands"]
        end

        subgraph Runtime["Runtime"]
            TOOLS["tools/<br/>36 Node.js ESM scripts"]
            LIB["tools/lib/<br/>security.mjs, monorepo.mjs"]
        end
    end

    subgraph External["External (optional)"]
        MCP1["Context7 MCP<br/>Live docs"]
        MCP2["Playwright MCP<br/>Browser automation"]
        GSC2["GSC / GA4 / Bing<br/>APIs"]
    end

    COMMANDS --> SKILLS
    SKILLS --> AGENTS
    SKILLS --> TOOLS
    AGENTS --> TOOLS
    TOOLS --> LIB
    TOOLS --> GSC2
    SKILLS --> MCP1
    SKILLS --> MCP2

    style MANIFEST fill:#6b7280,stroke:#4b5563,color:#fff
    style HOOKS fill:#f59e0b,stroke:#d97706,color:#000
    style SKILLS fill:#8b5cf6,stroke:#7c3aed,color:#fff
    style AGENTS fill:#3b82f6,stroke:#2563eb,color:#fff
    style COMMANDS fill:#06b6d4,stroke:#0891b2,color:#000
    style TOOLS fill:#10b981,stroke:#059669,color:#000
    style LIB fill:#059669,stroke:#047857,color:#fff
    style MCP1 fill:#6b7280,stroke:#4b5563,color:#fff
    style MCP2 fill:#6b7280,stroke:#4b5563,color:#fff
    style GSC2 fill:#6b7280,stroke:#4b5563,color:#fff

Node.js ESM (type: module)
1 dependency: htmlparser2 (SAX HTML parser, ~30KB)
Tools output JSON to stdout, exit 0 on success and failure (errors in JSON)
Skills reference tools via ${CLAUDE_PLUGIN_ROOT}/tools/<name>.mjs
No build step. No native bindings. No node-gyp.

Contributing

git clone https://github.com/Houseofmvps/ultraship.git
cd ultraship
npm test              # 180 tests, node:test
node tools/<tool>.mjs # Run any tool directly

Open an issue or submit a PR.

License

MIT

ultraship