Claude Code Tips From Anthropic's Team That Will Change How You Vibe Code

Boris Cherny, creator of Claude Code, just dropped a thread sharing how his team actually uses the tool. Not marketing fluff. Real workflows from the engineers building it.

I've been auditing vibe-coded apps for months now. Most of what breaks isn't the AI's fault. It's how people use these tools. These tips address exactly that gap.

Here's what the Claude Code team does differently - and why it still won't save you from needing a security review.

1. They Run 3-5 Claude Sessions in Parallel

The biggest productivity unlock isn't a better prompt. It's running multiple git worktrees simultaneously, each with its own Claude session.

One worktree for your feature. Another for bug fixes. A third just for reading logs and running analytics.

git worktree add ../project-feature-a -b feature-a
cd ../project-feature-a
claude

Most solo founders I audit are running one session, waiting for it to finish, then starting another. They're leaving 80% of Claude's value on the table.

2. Plan Mode Before Everything

Before writing a single line of code, the team uses Shift+Tab to enter plan mode. Claude analyzes the codebase with read-only operations and creates a detailed implementation plan.

One engineer has Claude write the plan, then spins up a second Claude session to review it as a "staff engineer."

The moment something goes sideways? They don't push through. They switch back to plan mode and re-plan.

This is where most vibe-coded apps fail. No planning. Just "build me a login page" and hoping for the best. That's how you end up with JWT tokens that never expire and hardcoded API keys.

3. CLAUDE.md Is Your AI's Memory

After every correction, tell Claude: "Update your CLAUDE.md so you don't make that mistake again."

Claude writes rules for itself. Ruthlessly edit this file over time. Keep iterating until the mistake rate measurably drops.

One team member maintains a notes directory for every project, updated after every PR, with CLAUDE.md pointing to it.

I've reviewed codebases where Claude made the same authentication mistake in 15 different files. A well-maintained CLAUDE.md prevents this.

4. Turn Repetitive Tasks Into Skills

If you do something more than once a day, turn it into a skill or slash command.

The team has built:
- /techdebt - runs at the end of every session to find and eliminate duplicated code
- A slash command that syncs 7 days of Slack, Google Drive, Asana, and GitHub into one context dump
- Analytics agents that write dbt models, review code, and test changes automatically

You create a skill by adding a SKILL.md file:

~/.claude/skills/my-skill/SKILL.md

Most vibe coders are manually typing the same instructions repeatedly. Every repetition is a chance for inconsistency.

5. Let Claude Fix Bugs Autonomously

Enable the Slack MCP, paste a bug thread into Claude, and just say "fix."

Or point Claude at your failing CI tests: "Go fix the failing CI tests." Don't micromanage how.

Claude is surprisingly capable at troubleshooting distributed systems when you point it at docker logs.

The catch? Claude fixes what it can see. The 85% of vibe-coded apps with authentication flaws don't fail CI tests. They pass every automated check while leaving the front door unlocked.

6. Prompting Techniques That Actually Work

Three approaches from the team:

Challenge Claude. Say "Grill me on these changes and don't make a PR until I pass your test." Make Claude your reviewer instead of your yes-man.

Request elegance. After a mediocre fix: "Knowing everything you know now, scrap this and implement the elegant solution."

Reduce ambiguity. Write detailed specs before handing off work. The more specific you are, the better the output.

Vague prompts produce vague code. Vague code produces security holes.

7. Your Terminal Setup Matters

The Claude Code team loves Ghostty for its synchronized rendering, 24-bit color, and proper unicode support.

They customize the status bar with /statusline to show context usage and current git branch. Many color-code terminal tabs using tmux - one tab per task or worktree.

And they use voice dictation. Hit fn twice on macOS. You speak 3x faster than you type, and your prompts get way more detailed.

8. Subagents for Heavy Lifting

Append "use subagents" to any request where you want Claude to throw more compute at the problem.

Subagents keep your main agent's context window clean and focused. You can also route permission requests to Opus 4.5 via a hook - letting it scan for attacks and auto-approve the safe ones.

The danger here is obvious. Auto-approving commands without human review is exactly how you end up with database permissions that are "way too broad." 68% of the apps I audit have this problem.

9. SQL Is Optional Now

The team uses BigQuery CLI directly in Claude Code. They have a BigQuery skill checked into the codebase, and everyone uses it for analytics queries.

Boris says he hasn't written a line of SQL in 6+ months.

This works for any database with a CLI, MCP, or API. But it also means your database security is only as good as Claude's understanding of your access patterns - which isn't very good.

10. Learn With Claude, Not Just Build

Enable the "Explanatory" or "Learning" output style in /config to have Claude explain the why behind its changes.

Have Claude generate HTML presentations explaining unfamiliar code. Ask for ASCII diagrams of protocols and codebases.

One team member built a spaced-repetition learning skill: you explain your understanding, Claude asks follow-ups to fill gaps, then stores the result.

This matters because the developers who understand what Claude generates are the ones who catch its mistakes. The ones who just accept the output are the ones who ship SQL injection vulnerabilities.

The Part Boris Didn't Mention

These tips will make you significantly more productive with Claude Code. You'll ship faster. You'll handle more complex projects. You'll feel like you have a team of engineers instead of just one.

But speed without security is just faster failure.

72% of vibe-coded apps have template vulnerabilities - boilerplate code with default credentials and exposed admin panels. 91% are susceptible to spear phishing attacks. These aren't problems Claude can catch because they're not bugs. They're architectural decisions that seem fine until someone exploits them.

The Claude Code team has years of experience. They know what to look for. They know when Claude is hallucinating a security pattern that doesn't actually work.

Most vibe coders don't.

That's not an insult. It's just math. If 85% of AI-built apps have critical authentication flaws, and you're building with AI, probability isn't in your favor.

What This Means For Your App

Use these tips. Seriously. They'll make your code better.

Run parallel sessions. Use plan mode. Maintain your CLAUDE.md. Build skills for repetitive tasks. Let Claude explain what it's doing so you actually learn.

Then, before you launch, get a human to look at it.

Not because AI is bad. Because AI is good at patterns and bad at context. It doesn't know that your "admin panel" shouldn't be accessible from the public internet. It doesn't know that your database credentials shouldn't be in the environment variables of a client-side app. It doesn't know what it doesn't know.

Neither does any automated scanning tool.

That's why we do manual code reviews. Every line. By humans who've seen what actually breaks in production.

Your vibe-coded app deserves to make it past the 80% mark. It deserves to be production-ready with proper security. It deserves better than becoming another statistic.

---

Building something with Claude Code, Cursor, Bolt, or Replit? Get a free security assessment before you ship. We'll tell you exactly what needs fixing - and whether you need us to fix it.

---

Target keywords: Claude Code tips, vibe coding best practices, Claude Code tutorial, AI coding security, vibe coded app security, Claude Code workflow, Anthropic Claude Code