// Security audit skill. Use when asked to "audit security", "check for vulnerabilities", "security review", "pentest", or when evaluating code that handles auth, user input, secrets, or external data. Runs a phased scan covering OWASP Top 10 and STRIDE threat modeling.
Structured code review skill. Use when asked to "review this code", "review this PR", "check this diff", or when acting as a Hydra reviewer. Runs a multi-pass review with specialist focus areas and confidence-gated findings.
QA testing skill with real browser automation. Use when asked to "test this site", "QA this page", "check for visual bugs", "verify the deploy", or when Hydra needs browser validation for UI changes. Requires the browse binary.
Use when starting work in a TermCanvas-managed repo to route between direct work, Hydra, or a narrow TermCanvas skill.
Use when a task should run through Hydra's Lead-driven workflow for multi-agent orchestration, or when an existing workflow must be inspected or cleaned up.
Adversarial review skill. Use when the user wants to stress-test an idea, argument, proposal, or opinion from multiple independent angles. Spawns parallel Hydra workers with orthogonal analytical methodologies.
Systematic debugging skill. Use when encountering a bug, test failure, unexpected behavior, or when asked to "investigate", "debug", "diagnose", or "figure out why". Enforces root-cause-first discipline with structured hypothesis tracking.
| name | security-audit |
| description | Security audit skill. Use when asked to "audit security", "check for vulnerabilities", "security review", "pentest", or when evaluating code that handles auth, user input, secrets, or external data. Runs a phased scan covering OWASP Top 10 and STRIDE threat modeling. |
Phased security scan. Each phase is independent — skip phases that do not apply to the codebase.
For each entry point identified in Phase 1:
grep -r for common secret patterns in source (API keys, tokens, passwords,
connection strings) — exclude node_modules, .git, lock filesgit log --all -p -S "password\|secret\|api_key\|token" for secrets
that were committed and later removed (they are still in history).gitignore covers .env, credential files, and key materialnpm audit / pip audit / equivalentIf CI/CD config exists (.github/workflows/, .gitlab-ci.yml, etc.):
pull_request_target grant write access to untrusted PRs?For each component identified in Phase 1, evaluate:
For each finding: