Agent-Discoverable Slash Commands

Slash commands become model-callable primitives when the agent's planner can read their descriptions and invoke them mid-loop — collapsing the boundary between user-invoked shortcuts and agent-invoked tools.

The Shift

Slash commands were a human surface — typed in the prompt bar, invisible to the planner. Treating them as model-discoverable turns /review, /refresh-context, or /commit into callable nodes in the planner's tool graph.

Claude Code 2.1.108 shipped the shift: the model can now invoke built-in commands like /init, /review, and /security-review via the Skill tool (Claude Code changelog). Cursor 2.4 (January 2026) added Agent Skills defined in SKILL.md files that agents discover when relevant (Cursor 2.4 changelog).

User-authored workflows now become tool-graph nodes — /research-topic becomes a planning step a supervisor agent selects. This extends Agents vs Commands: commands gain the "who" dimension previously owned by agents, without erasing what-vs-how.

The Control Matrix

Claude Code exposes two frontmatter fields that gate the user/agent axis (Skills reference):

Frontmatter	User can invoke	Agent can invoke	When loaded into context
(default)	Yes	Yes	Description always in context; body loads on invocation
disable-model-invocation: true	Yes	No	Description not in context; body loads when user invokes
user-invocable: false	No	Yes	Description always in context; body loads on invocation

Side-effectful commands (/deploy, /commit, /send-slack-message) should set disable-model-invocation: true — Anthropic: "you don't want Claude deciding to deploy because your code looks ready" (Skills reference). Background-knowledge skills set user-invocable: false — /legacy-system-context is not an action users would type.

Descriptions Become Tool Descriptions

The description sits in the system prompt at all times (Skills reference) and drives agent invocation. Four rules from tool-description craft (Anthropic best practices):

1. Third person — "Processes Excel files", not "I can help you…"; point-of-view shift causes discovery misses.
2. What and when — "Extract text from PDFs. Use when the user mentions PDFs, forms, or document extraction." Trigger phrases anchor selection.
3. Specific over vague — "Fills PDF forms and merges documents" selects on those verbs; "Helps with documents" selects nothing.
4. Front-load the use case — combined description and when_to_use is capped at 1,536 characters per skill (Skills reference).

Negative triggers constrain over-firing: Do NOT use for Jira or GitHub Issues workflows.

The Idempotency Contract

User invocation is an explicit authorisation signal; agent invocation is not. The planner does not read the conversation the way a human does. Model-invokable commands need:

• Up-front input validation — reject obviously wrong arguments rather than acting on them
• Read-only first — a /review that only reads is safer to promote than a /commit that writes
• Two-step destructive ops — plan/execute split lets the planner stage changes without committing

When a command cannot be idempotent, default to disable-model-invocation: true.

Permission Controls

Claude Code exposes allow/deny rules — Skill(name) for exact match, Skill(name *) for any arguments (Skills reference):

Skill(commit)        # allow
Skill(review-pr *)   # allow with any args
Skill(deploy *)      # deny

The allowed-tools frontmatter pre-approves tools while the skill runs — /commit can include Bash(git add *) Bash(git commit *) without per-use approval. That pre-approval surface expands with every model-invocable command.

When This Backfires

1. Destructive side effects without disable-model-invocation — the agent infers authorisation from context that looked "ready" and runs a command the user would have reviewed.
2. Large skill libraries — descriptions are shortened to fit a character budget that defaults to 1% of the model's context window (skillListingBudgetFraction), stripping trigger keywords when the listing overflows (Skills reference).
3. Prompt injection surface — a tool output or README naming a skill can cause the planner to invoke it with attacker-controlled arguments.
4. Commands authored pre-shift — existing commands often reference "the user's last message" or emit prose confirmations. Agent invocation breaks those assumptions.

Counterpoint: MCP Keeps the Boundary

The Model Context Protocol takes the opposite stance: prompts are user-controlled — surfaced as slash commands — while tools are model-controlled (MCP Prompts spec). Erasing that boundary is a choice: typing /deploy is itself the authorisation. Claude Code and Cursor trade that for planner composability; MCP does not.

Example

A /review-pr command written in Claude Code's skill format. The description names the trigger phrases the planner matches against, the negative trigger prevents over-firing on unrelated requests, and the absence of disable-model-invocation makes it model-callable because the operation is read-only.

---
name: review-pr
description: Reviews a pull request for correctness, style, and security issues.
  Use when the user asks for a PR review, mentions a PR number, or asks to check
  diff quality before merge. Do NOT use for general code review outside a PR
  (use the code-review skill instead).
argument-hint: "[pr-number]"
allowed-tools: Bash(gh pr *)
---

Review PR $ARGUMENTS:

1. Fetch the diff with `gh pr diff $ARGUMENTS`
2. Scan for: missing tests, unhandled errors, suspicious secrets
3. Return findings as a structured list

Contrast with a /deploy command, where disable-model-invocation: true is non-negotiable because the operation is destructive and the agent inferring "ready to ship" from context is not equivalent to the user explicitly authorising release:

---
name: deploy
description: Deploy the application to production
disable-model-invocation: true
allowed-tools: Bash(./scripts/deploy.sh *)
---

Deploy $ARGUMENTS to production:
1. Run the test suite
2. Build the application
3. Push to the deployment target
4. Verify the deployment succeeded

The matrix scales: every new command is a three-state decision — default (both), disable-model-invocation (user-only), or user-invocable: false (agent-only).

Key Takeaways

• Promoting commands to model-invokable turns them into reusable planner primitives, not just keyboard shortcuts
• Command descriptions now carry the craft previously reserved for tool descriptions: trigger phrases, third person, negative triggers, front-loaded use case
• The three-state matrix (default, disable-model-invocation: true, user-invocable: false) is a per-command decision — destructive side effects default to user-only
• Permission rules (Skill(name), Skill(name *)) and allowed-tools pre-approvals make the trust surface explicit
• MCP's user-controlled prompts vs model-controlled tools is the opposite design choice — the boundary is deliberate, not inevitable

Related

• Agents vs Commands: Separation of Role and Workflow
• Skill Tool Enforcement: Loading Command Prompts at Runtime
• Skill Authoring Patterns: Description to Deployment
• SKILL.md Frontmatter Reference
• Prompt File Libraries for Reusable Agent Instructions
• Agent Skills: Cross-Tool Task Knowledge Standard
• Permission-Gated Commands
• Progressive Disclosure for Agent Definitions

Last reviewed: 2026-05-27