security-audit
This skill performs comprehensive security assessments by delegating to the Centinela QA agent, systematically checking for OWASP Top 10 vulnerabilities, hardcoded secrets, dependency CVEs, and smart contract issues. Use it before releases, after significant code changes affecting authentication or data handling, or during periodic security reviews.
git clone --depth 1 https://github.com/davepoon/buildwithclaude /tmp/security-audit && cp -r /tmp/security-audit/plugins/agent-triforce/skills/security-audit ~/.claude/skills/security-auditSKILL.md
# Security Audit
Performs a deep security audit using the Centinela (QA) agent.
## When to Use This Skill
- Before a release to verify security posture
- After significant code changes that touch authentication, authorization, or data handling
- Periodic security review of the codebase
- When adding new dependencies or external integrations
## What This Skill Does
1. Runs the SIGN IN checklist
2. Performs OWASP Top 10 systematic check (A01-A10)
3. Scans for hardcoded secrets, API keys, tokens, and connection strings
4. Audits dependencies for known CVEs
5. Checks smart contracts if Solidity is present (reentrancy, overflow, access control)
6. Runs Security Verification and Quality Verification checklists (TIME OUT)
7. Issues verdict and writes report to `docs/reviews/security-audit-{date}.md`
8. Prepares findings handoff to Dev agent
## How to Use
### Basic Usage
```
/security-audit
```
### Scoped Audit
```
/security-audit src/auth/ src/api/
```
## Example
**User**: `/security-audit src/payments/`
**Output**: A security audit report at `docs/reviews/security-audit-2026-02-23.md` with:
- OWASP Top 10 findings organized by severity
- Secrets scan results
- Dependency vulnerability report
- Verdict: APPROVED or CHANGES REQUIRED
- Fix order recommendation for the Dev agent
## Tips
- If no scope is specified, the entire `src/` directory is audited
- Critical findings trigger the Non-Normal emergency checklist
- The agent will never attempt to fix vulnerabilities — only document themScans the codebase for dead code, tech debt, outdated dependencies, and code quality issues. Delegates to the Centinela (QA) agent.
Creates a complete product feature specification with acceptance criteria, scope, dependencies, and risks. Delegates to the Prometeo (PM) agent.
Implements a feature from its specification. Reads the spec, designs architecture, writes code and tests. Delegates to the Forja (Dev) agent.
Pre-release verification checklist. Validates features, tests, docs, security, and quality gates before shipping. Delegates to the Centinela (QA) agent.
Addresses and fixes findings from a QA code review. Reads the review report, fixes critical and warning issues, and prepares for re-verification. Delegates to the Forja (Dev) agent.
Initialize uc-taskmanager for the current project. Creates works/ directory and configures Bash permissions in .claude/settings.local.json. Use when the user says "uctm init", "initialize uctm", "uctm 초기화", or "초기화".
Triggers the WORK-PIPELINE when a user request starts with a [] tag (e.g., [new-feature], [bugfix], [WORK start]). Use this skill whenever you detect a [] tag at the beginning of a user message.