// Use when assessing a feature, service, or full repo for security risk. Maps the threat surface, walks the OWASP Top 10, and emits a finding report with severity counts. Suitable as a release-gate skill.
| name | security-audit |
| description | Use when assessing a feature, service, or full repo for security risk. Maps the threat surface, walks the OWASP Top 10, and emits a finding report with severity counts. Suitable as a release-gate skill. |
List every place untrusted data enters the system: HTTP endpoints, queue consumers, file uploads, env vars read at runtime, third-party webhooks, client-side storage. For each, name the trust boundary it crosses.
For each of: Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable Components, Identification & Auth Failures, Software / Data Integrity Failures, Security Logging & Monitoring Failures, SSRF — record either a finding or "not applicable, because ".
Grep for committed secrets. Verify .env* is in .gitignore. Check that
the CI logs don't echo env vars.
Run the stack's audit tool (pnpm audit, pip-audit, cargo audit,
govulncheck, dotnet list package --vulnerable). Note severity counts.
Findings: critical=N high=N medium=N low=N
[CRITICAL] <title>
Where: <file:line or component>
Vector: <how an attacker reaches it>
Impact: <what they get>
Mitigation: <smallest viable fix>
Append the OWASP walk as an appendix so reviewers can see what was checked even when there were no findings.
Use to decide when to invoke the Claude Code CLI and how. Claude specializes in deep reasoning — plans, hypercritical reviews, multi-file impact analysis, and pipe-fed log analysis. Includes invocation patterns and cross-check usage with Codex.
Use when an architectural decision has been made or is about to be made. Decides whether the decision belongs in docs/DESIGN.md, what level of detail to record, and what NOT to record. Operates as a judgment skill, not a fixed procedure — for the procedure see the update-design workflow.
Use when evaluating a library, framework, or external service for adoption. Walks evaluation axes (fit, maintenance, license, footprint, integration cost) and produces a recommendation with explicit trade-offs. Output goes under docs/research/.
Use when reviewing a diff, a PR, or a series of recent commits. Produces a severity-graded report covering correctness, security, performance, concurrency, maintainability, and Definition of Done compliance. Pairs well with pipe input and with Codex cross-checks.
Use when a bug is reported, a test is failing, or production is misbehaving. Provides observation patterns and diagnostic moves rather than a fixed sequence — every bug has its own shape. Pairs naturally with pipe-fed log analysis.
Use to decide when to invoke the Codex CLI and how. Codex specializes in tight iterate-loops, small refactors, lint cycles, and test additions. Includes invocation patterns and anti-patterns.