Your coding agent already knows how to write code. What it doesn't reliably do — on its own, by default — is stop and check the boring, load-bearing things. Did that diff just hardcode a live Stripe key? Is the hero image a 1.1 MB PNG nobody resized? Are half your UI tests pinned to :nth-child(3) selectors that the next redesign will snap like dry pasta?
So we packaged the checks. Today we're open-sourcing free-qa-skills — a catalogue of 23 diagnostic QA skills that drop straight into Claude Code (and Codex). No signup. No API keys. No QualityMax account. Copy a folder, type a slash command, get a graded report.
These skills find the problems for free. QualityMax fixes them. That's the whole deal — and we're completely fine telling you the first half costs nothing.
What's in the box
The catalogue spans four areas. The first version shipped seven browser-diagnostic skills; this release adds sixteen more, opening up two whole categories the set never had before — performance and code review.
Web quality
11 skillsAccessibility, SEO, broken links, console errors, security headers, responsive breaks, cookies & trackers, form validation, i18n/RTL, mixed content, UI/UX smells.
Playwright MCPPerformance
4 skillsCore Web Vitals (LCP/CLS/INP), page-weight budget, third-party bloat, and a cold-cache load waterfall — graded against real thresholds.
Playwright MCPCode review
6 skillsDiff risk review, secret scanning, dependency audit, dead-code detection, complexity hotspots, error-handling audit. Pure agent — no MCP.
No MCP neededTest review
2 skillsTest-quality review (catches tests that assert nothing) and flaky-selector scan (brittle locators → stable data-test suggestions).
Every one is diagnostic only. They read your site or your repo, grade what they find, and hand you a report with exact file:line pointers and a fix for each issue. They never touch your code or your site. A scanner shouldn't have write access — that's a different, deliberate decision.
Thirty seconds to your first report
# Grab the whole catalogue
git clone https://github.com/Quality-Max/free-qa-skills.git
cp -r free-qa-skills/skills/* .claude/skills/
# ...or just the one you need
cp -r free-qa-skills/skills/core-web-vitals .claude/skills/Then talk to your agent the way you already do:
/core-web-vitals https://yoursite.com
/secret-scan
/flaky-selector-scanThe web skills use the Playwright MCP that ships with Claude Code to actually drive a browser — measure real LCP, capture response headers, probe a form with bad input. The code-review skills don't need any MCP at all: they read your working tree and git diff directly. That last detail matters more than it sounds.
Eight of them need zero setup — and ship inside qmax-code
The six code-review and two test-review skills are pure markdown playbooks. No browser, no server, no MCP, no tokens. That portability is why they're also baked straight into qmax-code, our open-source terminal agent. Run it, and orch materializes these review skills into whichever backend you're on — Claude Code or Codex — from one SKILL.md definition. Nothing to copy; they're just there the next time you open a session.
So you've got two front doors: clone free-qa-skills and copy the folder, or run qmax-code and let it install the review skills for you. Same skills, your choice of delivery.
Why "no MCP" is the unlock
A skill that depends on a tool server only works where that server is wired up. A skill that's just instructions works anywhere the agent runs — your laptop, a teammate's Codex session, a headless CI agent. The eight review skills are the portable core, which is exactly why they were the natural first set to ship inside qmax-code — and the ones we expect to spread fastest.
What a report actually looks like
No dashboards, no PDF exports, no "request a demo." Just the answer, in your terminal, graded and actionable:
## Secret Scan — git diff (staged + unstaged)
2 real secrets, 1 placeholder ignored
### BLOCKER
- backend/config.py:14 — Stripe live key `sk_l…` hardcoded.
Rotate it now (it's compromised once committed) and load from env.
- .env.example:9 — AWS key `AKIA…` looks real, not a sample.
Move to a non-tracked .env and rotate.
### Ignored (placeholders)
- README.md:42 — api_key = "your-key-here" — example text.Notice the masking. A scanner that prints your live keys back into a report you'll paste into Slack has missed the point — so this one shows the first four characters and stops.
Free finds it. QualityMax fixes it.
Here's where we're honest about the model, because it's the same thesis the whole company runs on: finding a problem and fixing it are different jobs, and you shouldn't trust the same loop to do both.
| Free QA skills | QualityMax |
|---|---|
| Find issues & grade them | Generate the tests that catch them, forever |
| One-shot diagnostic report | Self-healing scripts & CI/CD quality gates |
| Runs on your machine, on demand | Independent verifier on every PR |
| Apache-2.0, copy-and-go | 85 MCP tools, multi-model routing |
The free skills are a genuinely useful product on their own — we use several of them ourselves. They're also the most honest sales pitch we know how to make: run them against your own app, see your real bugs, and then decide whether you want the system that turns each of those findings into a durable, self-healing test instead of a one-time report.
If you connect Claude Code to the QualityMax MCP, the same terminal gains 85 tools: AI test generation, BOLA scanning, k6 load testing, breach triage, and the deterministic harness we wrote about in You Can't Review Your Own Work. The free skills show you the gap. QualityMax closes it — and keeps it closed.
Grab them
The repo is live, Apache-2.0, and open to PRs — if you write a diagnostic skill in the same format, send it over. We'd love the catalogue to outgrow us.
- Repo: github.com/Quality-Max/free-qa-skills
- Install:
cp -r free-qa-skills/skills/* .claude/skills/ - Or run the agent: qmax-code ships the review skills into Claude Code or Codex automatically
- Try first:
/core-web-vitals,/secret-scan,/flaky-selector-scan
Point one at your site or your branch right now. Worst case, you learn your app is in great shape. More likely, you find something worth fixing before someone else does — for free, in the next thirty seconds.
Like the free reports? Get the fixes.
QualityMax turns every finding into a self-healing test and an independent verifier on every PR — RAG-grounded generation, a hollow-test gate, and multi-model routing, all from your terminal.
Get Started Free