Security Audit
Performs a deep security audit using the Centinela (QA) agent.
When to Use This Skill
- Before a release to verify security posture
- After significant code changes that touch authentication, authorization, or data handling
- Periodic security review of the codebase
- When adding new dependencies or external integrations
What This Skill Does
- Runs the SIGN IN checklist
- Performs OWASP Top 10 systematic check (A01-A10)
- Scans for hardcoded secrets, API keys, tokens, and connection strings
- Audits dependencies for known CVEs
- Checks smart contracts if Solidity is present (reentrancy, overflow, access control)
- Runs Security Verification and Quality Verification checklists (TIME OUT)
- Issues verdict and writes report to
docs/reviews/security-audit-{date}.md - Prepares findings handoff to Dev agent
How to Use
Basic Usage
/security-audit
Scoped Audit
/security-audit src/auth/ src/api/
Example
User: /security-audit src/payments/
Output: A security audit report at docs/reviews/security-audit-2026-02-23.md with:
- OWASP Top 10 findings organized by severity
- Secrets scan results
- Dependency vulnerability report
- Verdict: APPROVED or CHANGES REQUIRED
- Fix order recommendation for the Dev agent
Tips
- If no scope is specified, the entire
src/directory is audited - Critical findings trigger the Non-Normal emergency checklist
- The agent will never attempt to fix vulnerabilities — only document them