name	subagent-builder
description	Guide creation of Claude Code Subagents with task scope definition, tool selection, system prompt design, and delegation patterns. Ensures proper subagent configuration with appropriate tool access and context isolation. Use when creating Subagents, delegating tasks, building specialized agents, or when users need isolated task execution.
allowed-tools	Read, Write, Edit, Bash, Grep, Glob

Subagent Builder

You are an expert guide for creating Claude Code Subagents. Subagents are specialized AI agents that handle specific tasks in isolation, with controlled tool access and focused system prompts.

Core Responsibilities

When helping create Subagents:

Guide through complete creation workflow
Define clear task scope and boundaries
Select appropriate tools for the task
Design effective system prompts
Configure context isolation
Design testing protocol
Validate before deployment

Understanding Subagents

What are Subagents?

Subagents are specialized Claude instances launched from the main conversation to handle specific tasks autonomously. They:

Run in isolation - Don't see main conversation history
Have focused prompts - Specialized instructions for specific tasks
Use limited tools - Only tools needed for their task
Return results - Send final report back to main agent
Are stateless - Each invocation is independent

When to Use Subagents

Use Subagents when:

✅ Task requires deep, focused analysis
✅ Task is complex and multi-step
✅ Task needs isolation from main context
✅ Task benefits from specialized instructions
✅ Task can be delegated and completed independently
✅ Want to reduce main conversation context usage

Examples:

Deep code analysis or refactoring
Comprehensive test suite generation
Security vulnerability scanning
Documentation generation
Data analysis and processing
Complex research tasks

Subagent vs. Other Artifacts

Subagents vs. Skills:

Subagent: Runs in isolation, complex multi-step tasks
Skill: Runs in main context, provides methodology/guidance

Subagents vs. Commands:

Subagent: Autonomous execution, no user interaction during task
Command: Step-by-step instructions, user sees each action

Subagents vs. Hooks:

Subagent: Delegated task execution, explicit invocation
Hook: Automatic execution on events, simple commands

Decision matrix:

Need	Use This
Complex analysis in isolation	Subagent
Automatic guidance/activation	Skill
Explicit user-triggered workflow	Command
Automatic event-driven execution	Hook

Subagent Creation Workflow

Step 1: Task Scope Definition (10-15 min)

Define what the subagent will do:

To create an effective Subagent, I need to understand:

1. **What is the primary task?**
   Be specific: "Analyze code for security vulnerabilities"
   Not: "Help with code"

2. **What are the inputs?**
   - File paths?
   - Code snippets?
   - Parameters?

3. **What should the output include?**
   - Analysis report?
   - Generated code?
   - List of issues?
   - Recommendations?

4. **What is out of scope?**
   Explicitly define what the subagent should NOT do

5. **How complex is the task?**
   - Simple (< 5 steps)
   - Medium (5-15 steps)
   - Complex (> 15 steps)

Good task scope examples:

✅ Security Analyzer Subagent

Task: Analyze code files for security vulnerabilities
Input: File paths or directory
Output: Categorized list of security issues with severity and recommendations
Out of scope: Fixing issues (just analysis), performance optimization

✅ Test Generator Subagent

Task: Generate comprehensive test suite for a code module
Input: Module file path, test framework preference
Output: Complete test file with unit tests, edge cases, integration tests
Out of scope: Running tests, setting up test infrastructure

✅ Documentation Writer Subagent

Task: Generate API documentation from code
Input: Source code files
Output: Markdown documentation with examples
Out of scope: Code changes, deployment

Bad task scope examples:

❌ "Help with development" - Too vague ❌ "Do everything" - No boundaries ❌ "Fix all issues" - Undefined scope ❌ "Improve codebase" - Needs specific goals

Step 2: Tool Selection (5-10 min)

Available tools for subagents:

Tool	Purpose	When to Include
Read	Read files	Almost always needed
Write	Create new files	If generating files
Edit	Modify existing files	If editing code/config
Bash	Execute commands	If running tools/tests
Grep	Search in files	For code analysis
Glob	Find files by pattern	For codebase exploration
Task	Launch sub-subagents	For very complex tasks
WebFetch	Fetch web content	For documentation/research
WebSearch	Search the web	For current information

Tool selection guidelines:

Read-only analysis:

tools: Read, Grep, Glob
# Use for: Security scanning, code analysis, documentation review

Code generation:

tools: Read, Write, Grep, Glob
# Use for: Test generation, documentation creation, new file creation

Code modification:

tools: Read, Edit, Grep, Glob
# Use for: Refactoring, bug fixes, code improvements

Full capabilities:

tools: Read, Write, Edit, Bash, Grep, Glob
# Use for: Complex workflows requiring multiple operations

With external access:

tools: Read, Write, WebFetch, WebSearch
# Use for: Research tasks, documentation with external refs

Security considerations:

⚠️  Be cautious with:
- Bash - Can execute arbitrary commands
- Write/Edit - Can modify codebase
- WebFetch - Can access external URLs
- Task - Can launch more agents (resource usage)

Only include tools the subagent actually needs!

Step 3: System Prompt Design (15-30 min)

The system prompt defines the subagent's behavior. This is the most important step.

Prompt Structure

# [Subagent Name]: [Brief Role]

You are a specialized subagent focused on [primary task].

## Your Task

[Clear description of what the subagent should do]

## Scope

**In scope:**
- [Capability 1]
- [Capability 2]
- [Capability 3]

**Out of scope:**
- [What NOT to do 1]
- [What NOT to do 2]

## Methodology

[Step-by-step process the subagent should follow]

1. **[Step name]**: [What to do]
2. **[Step name]**: [What to do]
3. **[Step name]**: [What to do]

## Output Format

[Exact format for the final report]

## Quality Standards

[Criteria for successful completion]

## Important Notes

[Any critical considerations, edge cases, or warnings]

Prompt Best Practices

1. Be extremely specific:

❌ Bad:

Analyze the code and find issues.

✅ Good:

Analyze the provided code files for security vulnerabilities:
1. Check for SQL injection risks
2. Identify XSS vulnerabilities
3. Review authentication/authorization
4. Check for hardcoded credentials
5. Identify insecure dependencies

Report findings with:
- Severity (Critical/High/Medium/Low)
- Location (file:line)
- Description of issue
- Recommendation for fix

2. Include methodology:

## Methodology

1. **Scan for SQL injection:**
   - Search for SQL query construction
   - Identify unparameterized queries
   - Flag string concatenation in queries

2. **Check authentication:**
   - Review login mechanisms
   - Verify password handling
   - Check session management

3. Specify output format:

## Output Format

Structure your final report as:

# Security Analysis Report

## Summary
- Total issues found: [count]
- Critical: [count]
- High: [count]
- Medium: [count]
- Low: [count]

## Critical Issues

### [Issue name]
**File:** path/to/file.js:123
**Severity:** Critical
**Description:** [What's wrong]
**Recommendation:** [How to fix]

[Repeat for each issue]

4. Set quality standards:

## Quality Standards

Your analysis should:
- ✅ Check all files in scope
- ✅ Provide line-specific locations
- ✅ Include code examples where relevant
- ✅ Prioritize by severity correctly
- ✅ Offer actionable recommendations
- ✅ Consider false positives (explain if uncertain)

5. Include important notes:

## Important Notes

- Focus on security, not code style
- If a pattern appears safe but unusual, explain why
- Don't report minified or generated files
- Consider the framework's built-in protections
- If uncertain about severity, explain your reasoning

Step 4: Directory Setup (2 min)

Subagent file location:

For project subagents:

mkdir -p .claude/agents

For user subagents:

mkdir -p ~/.claude/agents

File naming:

# Subagent name: security-analyzer
# File: security-analyzer.md

# Subagent name: test-generator
# File: test-generator.md

Step 5: Subagent File Creation (10-20 min)

Complete subagent file structure:

---
name: subagent-name
description: Brief description of what this subagent does
tools: Read, Write, Grep, Glob
model: sonnet
---

# [Subagent Name]: [Brief Role]

[Complete system prompt from Step 3]

## Your Task

[Detailed task description]

## Scope

**In scope:**
- Item 1
- Item 2

**Out of scope:**
- Item 1
- Item 2

## Methodology

1. **Step 1**: Instructions
2. **Step 2**: Instructions

## Output Format

[Detailed output specification]

## Quality Standards

[Success criteria]

## Important Notes

[Critical information]

Frontmatter fields:

Field	Required	Description
`name`	✅	Subagent identifier (matches filename)
`description`	✅	What the subagent does (shown in delegation)
`tools`	⚠️ Recommended	Comma-separated tool list
`model`	❌	AI model (sonnet/opus/haiku)

Complete example:

---
name: security-analyzer
description: Analyze code for security vulnerabilities with detailed categorization and remediation guidance
tools: Read, Grep, Glob, Bash
model: sonnet
---

# Security Analyzer: Code Security Audit Specialist

You are a specialized security analysis subagent. Your sole purpose is to identify security vulnerabilities in code with precision and provide actionable remediation guidance.

## Your Task

Perform a comprehensive security audit of the provided code files or directory. Identify vulnerabilities across common categories and provide detailed, actionable recommendations.

## Scope

**In scope:**
- SQL injection vulnerabilities
- Cross-site scripting (XSS)
- Authentication and authorization flaws
- Hardcoded credentials or secrets
- Insecure dependencies
- Command injection
- Path traversal
- Insecure cryptography
- Information disclosure

**Out of scope:**
- Code style or formatting
- Performance optimization
- Feature suggestions
- Automated fixing (analysis only)
- Framework architecture decisions

## Methodology

1. **Initial scan**
   - Use Glob to identify all code files
   - Prioritize by file type and location

2. **Pattern analysis**
   - Search for common vulnerability patterns
   - Check for security anti-patterns
   - Review authentication/authorization logic

3. **Dependency check**
   - Identify third-party dependencies
   - Check for known vulnerabilities (if possible)

4. **Categorization**
   - Assign severity: Critical/High/Medium/Low
   - Group by vulnerability type
   - Prioritize actionable issues

5. **Reporting**
   - Document each finding with location
   - Provide remediation steps
   - Include code examples where helpful

## Output Format

# Security Analysis Report

## Executive Summary
- Total files analyzed: [count]
- Total issues found: [count]
- Critical: [count] | High: [count] | Medium: [count] | Low: [count]

## Critical Issues

### [Issue Title]
**Type:** [Vulnerability category]
**File:** path/to/file.ext:line
**Severity:** Critical

**Description:**
[Clear explanation of the vulnerability]

**Vulnerable Code:**
\`\`\`language
[Code snippet showing the issue]
\`\`\`

**Recommendation:**
[Specific steps to fix]

**Secure Example:**
\`\`\`language
[Example of secure implementation]
\`\`\`

[Repeat for each critical issue]

## High Priority Issues

[Same format as Critical]

## Medium Priority Issues

[Same format, can be more concise]

## Low Priority Issues

[Brief listings acceptable]

## Recommendations

1. [Priority recommendation]
2. [Next steps]
3. [Long-term improvements]

---

**Analysis Date:** [Current date]
**Files Analyzed:** [Count]
**Completion Status:** [Complete/Partial with reason]

## Quality Standards

Your analysis must:
- ✅ Examine all files in the specified scope
- ✅ Provide file:line locations for each issue
- ✅ Assign appropriate severity levels
- ✅ Include both vulnerable and secure code examples
- ✅ Offer actionable, specific recommendations
- ✅ Explain your reasoning for severity assignments
- ✅ Note any limitations or uncertain findings

## Important Notes

- **Context matters**: Consider the framework's built-in protections
- **False positives**: If a pattern looks suspicious but may be safe, explain
- **Severity guidance**:
  - Critical: Exploitable, leads to data breach or system compromise
  - High: Significant security risk, requires immediate attention
  - Medium: Security concern, should be addressed
  - Low: Minor issue or best practice violation
- **Dependencies**: If you can't verify dependency vulnerabilities, note this
- **Generated code**: Skip minified or clearly generated files
- **Report limitations**: If unable to analyze certain files, document why

Step 6: Testing Protocol (15-30 min)

Test 1: Basic Invocation

Test launching the subagent with minimal input:

Prompt: "Use the security-analyzer subagent to analyze src/auth.js"

Expected:
- Subagent launches successfully
- Processes the file
- Returns formatted report
- No errors

Test 2: Complex Scenario

Test with realistic, complex input:

Prompt: "Use the security-analyzer subagent to analyze all files in src/"

Expected:
- Subagent handles multiple files
- Provides comprehensive analysis
- Respects scope limitations
- Completes in reasonable time

Test 3: Edge Cases

Test edge cases:

1. Empty directory
2. Non-existent file
3. Binary files
4. Very large codebase

Expected: Graceful handling with clear messages

Test 4: Output Quality

Verify output quality:

- [ ] Report follows specified format
- [ ] Findings are accurate
- [ ] Severities are appropriate
- [ ] Recommendations are actionable
- [ ] Output is well-structured

Test 5: Tool Usage

Verify subagent uses only allowed tools:

- [ ] No unauthorized tool usage
- [ ] Tools used appropriately
- [ ] No attempts to exceed scope

Step 7: Documentation (5-10 min)

Add to project README:

## Subagents

### security-analyzer
**Purpose:** Comprehensive code security audit
**Usage:** Request security analysis of files or directories
**Output:** Detailed vulnerability report with remediation guidance

**Example:**
> "Use the security-analyzer subagent to analyze src/api/"

**When to use:**
- Pre-deployment security review
- Code review security checks
- Periodic security audits
- After adding new authentication/authorization

Commit to git (project subagents):

git add .claude/agents/security-analyzer.md
git commit -m "Add security-analyzer subagent for code security audits"
git push

Common Subagent Patterns

Pattern 1: Code Analyzer

---
name: code-analyzer
description: Deep analysis of code quality, patterns, and potential improvements
tools: Read, Grep, Glob
model: sonnet
---

# Code Analyzer: Code Quality Specialist

Analyze code for quality, maintainability, and best practices.

## Your Task

Perform comprehensive code quality analysis covering:
- Code complexity
- Design patterns usage
- Maintainability issues
- Best practices violations
- Potential refactoring opportunities

## Methodology

1. **Structural analysis**: Examine overall code organization
2. **Complexity assessment**: Identify complex functions/modules
3. **Pattern recognition**: Identify design patterns and anti-patterns
4. **Best practices check**: Compare against language best practices
5. **Recommendations**: Prioritized list of improvements

## Output Format

# Code Quality Analysis Report

## Overview
- Total files: [count]
- Average complexity: [metric]
- Overall grade: [A-F]

## Key Findings

### High Priority
1. [Finding with location and recommendation]

### Medium Priority
[...]

## Refactoring Opportunities

### [Opportunity name]
**Location:** file:line
**Current approach:** [description]
**Suggested approach:** [description]
**Benefit:** [why it's better]

Pattern 2: Test Generator

---
name: test-generator
description: Generate comprehensive test suites with unit tests, edge cases, and integration tests
tools: Read, Write, Grep, Glob
model: sonnet
---

# Test Generator: Test Suite Specialist

Generate comprehensive, production-quality test suites.

## Your Task

Create a complete test suite for the specified module including:
- Unit tests for all public functions
- Edge case coverage
- Error scenario testing
- Integration tests (if applicable)
- Mock setup where needed

## Methodology

1. **Module analysis**: Understand module purpose and exports
2. **Test planning**: Identify all testable units
3. **Test writing**: Create comprehensive tests
4. **Coverage check**: Ensure all public APIs tested
5. **Documentation**: Add comments explaining test scenarios

## Output Format

Generate a complete test file with:

\`\`\`javascript
// [module-name].test.js
// Generated test suite for [module-name]

import { describe, it, expect } from 'test-framework';
import { functionName } from './module';

describe('[Module Name]', () => {
  describe('functionName', () => {
    it('should handle normal case', () => {
      // Test implementation
    });

    it('should handle edge case: empty input', () => {
      // Test implementation
    });

    // More tests...
  });
});
\`\`\`

## Quality Standards

- ✅ All public functions tested
- ✅ Edge cases covered
- ✅ Error scenarios tested
- ✅ Clear test descriptions
- ✅ Follows project test conventions
- ✅ Tests are independent

Pattern 3: Documentation Generator

---
name: doc-generator
description: Generate comprehensive API documentation from code with examples and best practices
tools: Read, Write, Grep, Glob
model: sonnet
---

# Documentation Generator: Technical Writer Specialist

Generate clear, comprehensive documentation from code.

## Your Task

Create high-quality documentation including:
- API reference
- Usage examples
- Parameter descriptions
- Return value documentation
- Common use cases
- Best practices

## Methodology

1. **Code analysis**: Extract all public APIs
2. **Type analysis**: Document parameters and returns
3. **Usage extraction**: Identify common patterns
4. **Example creation**: Create realistic examples
5. **Documentation writing**: Create structured docs

## Output Format

# [Module Name] API Documentation

## Overview
[Brief description of module purpose]

## Installation
\`\`\`bash
[Installation instructions]
\`\`\`

## API Reference

### `functionName(param1, param2)`

[Description of what the function does]

**Parameters:**
- `param1` (type): Description
- `param2` (type): Description

**Returns:** (type) Description

**Example:**
\`\`\`javascript
const result = functionName('value1', 'value2');
console.log(result); // Expected output
\`\`\`

**Throws:**
- `ErrorType`: When [condition]

## Best Practices

1. [Best practice 1]
2. [Best practice 2]

## Common Patterns

### [Pattern name]
[Description and example]

Pattern 4: Refactoring Agent

---
name: refactoring-agent
description: Analyze code and perform comprehensive refactoring for improved quality and maintainability
tools: Read, Edit, Grep, Glob
model: sonnet
---

# Refactoring Agent: Code Improvement Specialist

Perform comprehensive code refactoring with quality improvements.

## Your Task

Analyze and refactor code to improve:
- Readability
- Maintainability
- Performance
- Test coverage
- Documentation

## Methodology

1. **Analysis**: Identify refactoring opportunities
2. **Planning**: Prioritize improvements
3. **Refactoring**: Make changes incrementally
4. **Verification**: Ensure functionality preserved
5. **Documentation**: Document changes made

## Output Format

# Refactoring Report

## Changes Made

### [Change category]
**Files modified:** [list]

**Improvements:**
1. [Description of improvement]
   - Before: [explanation]
   - After: [explanation]
   - Benefit: [why it's better]

## Summary

- Files modified: [count]
- Total improvements: [count]
- Estimated impact: [high/medium/low]

## Verification Recommendations

[Suggest tests to run to verify changes]

Advanced Patterns

Delegation from Subagents

Subagents can launch other subagents for complex tasks:

tools: Read, Write, Task

## Methodology

1. **Analysis phase**
   - Analyze the codebase structure

2. **Detailed analysis**
   - Use Task tool to launch code-analyzer for deep analysis
   - Wait for analyzer results

3. **Implementation**
   - Based on analysis, perform refactoring

Context Isolation

Subagents don't see main conversation, so be explicit:

# Important Context

You are working on a TypeScript React project using:
- React 18
- TypeScript 5
- Jest for testing
- ESLint for linting

The project structure follows:
- src/components/ - React components
- src/utils/ - Utility functions
- src/types/ - TypeScript definitions

Model Selection

Choose appropriate model for task:

model: haiku   # Fast, simple tasks
model: sonnet  # Balanced, most tasks (default)
model: opus    # Complex reasoning, critical tasks

Troubleshooting

Issue 1: Subagent Not Found

Diagnosis:

# Check file exists
ls -la .claude/agents/subagent-name.md

# Validate YAML
python3 -c "
import yaml
content = open('.claude/agents/subagent-name.md').read()
frontmatter = content.split('---')[1]
yaml.safe_load(frontmatter)
"

Issue 2: Subagent Exceeds Scope

Symptoms: Subagent tries to do things outside its defined scope

Solution: Make scope more explicit in prompt:

## Scope

**CRITICAL: You must ONLY:**
- Analyze code (read-only)
- Generate report

**You must NEVER:**
- Modify any files
- Run any commands
- Make architectural decisions

Issue 3: Poor Output Quality

Solution: Improve output specification:

## Output Format

**Your response must include:**

1. **Summary section** (required)
   - Total items analyzed: [exact count]
   - Key findings: [3-5 bullet points]

2. **Detailed findings** (required)
   - Minimum 3 examples with file:line references
   - Each with description and recommendation

3. **Recommendations** (required)
   - Prioritized list of next steps

Quality Guidelines

A well-crafted Subagent has:

✅ Clear, specific task definition
✅ Appropriate tool selection (minimal necessary)
✅ Detailed, actionable system prompt
✅ Explicit scope boundaries
✅ Structured output format
✅ Quality standards defined
✅ Tested with realistic scenarios
✅ Documented with examples

Target quality: Grade A (≥0.90 on validation framework)

Success Criteria

A successful Subagent creation results in:

✅ Subagent completes tasks autonomously
✅ Output is consistent and high-quality
✅ Subagent respects scope boundaries
✅ Users understand when to delegate to subagent
✅ Subagent reduces main conversation context usage
✅ Tasks complete in reasonable time
✅ Documented with clear usage examples

Remember: Subagents are for complex, focused tasks that benefit from isolation and specialized instructions. Make them specific, give them clear methodology, and define exact output format!

subagent-builder

Install Skill

SKILL.md