// Use when assessing a feature, service, or full repo for security risk. Maps the threat surface, walks the OWASP Top 10, and emits a finding report with severity counts. Suitable as a release-gate skill.
Use to decide when to invoke the Claude Code CLI and how. Claude specializes in deep reasoning — plans, hypercritical reviews, multi-file impact analysis, and pipe-fed log analysis. Includes invocation patterns and cross-check usage with Codex.
Use when an architectural decision has been made or is about to be made. Decides whether the decision belongs in docs/DESIGN.md, what level of detail to record, and what NOT to record. Operates as a judgment skill, not a fixed procedure — for the procedure see the update-design workflow.
Use when evaluating a library, framework, or external service for adoption. Walks evaluation axes (fit, maintenance, license, footprint, integration cost) and produces a recommendation with explicit trade-offs. Output goes under docs/research/.
Use when reviewing a diff, a PR, or a series of recent commits. Produces a severity-graded report covering correctness, security, performance, concurrency, maintainability, and Definition of Done compliance. Pairs well with pipe input and with Codex cross-checks.
Use when a bug is reported, a test is failing, or production is misbehaving. Provides observation patterns and diagnostic moves rather than a fixed sequence — every bug has its own shape. Pairs naturally with pipe-fed log analysis.
Use to decide when to invoke the Codex CLI and how. Codex specializes in tight iterate-loops, small refactors, lint cycles, and test additions. Includes invocation patterns and anti-patterns.
| name | security-audit |
| description | Use when assessing a feature, service, or full repo for security risk. Maps the threat surface, walks the OWASP Top 10, and emits a finding report with severity counts. Suitable as a release-gate skill. |
List every place untrusted data enters the system: HTTP endpoints, queue consumers, file uploads, env vars read at runtime, third-party webhooks, client-side storage. For each, name the trust boundary it crosses.
For each of: Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable Components, Identification & Auth Failures, Software / Data Integrity Failures, Security Logging & Monitoring Failures, SSRF — record either a finding or "not applicable, because ".
Grep for committed secrets. Verify .env* is in .gitignore. Check that
the CI logs don't echo env vars.
Run the stack's audit tool (pnpm audit, pip-audit, cargo audit,
govulncheck, dotnet list package --vulnerable). Note severity counts.
Findings: critical=N high=N medium=N low=N
[CRITICAL] <title>
Where: <file:line or component>
Vector: <how an attacker reaches it>
Impact: <what they get>
Mitigation: <smallest viable fix>
Append the OWASP walk as an appendix so reviewers can see what was checked even when there were no findings.