Skills
Skills are agents that analyze your pull requests. Each skill has a specific purpose, a prompt that guides the analysis, and restrictions on what tools it can use.
Built-in Skills
security-review
Scans code changes for security vulnerabilities. This skill analyzes diffs for common security issues and reports findings with severity levels.
What It Checks
- Injection Vulnerabilities — SQL injection, command injection, XSS, template injection, path traversal
- Authentication & Authorization — Missing auth checks, improper session handling, authorization bypass, hardcoded credentials
- Data Security — Sensitive data exposure (PII, API keys), insecure storage, missing encryption, logging secrets
- Dependencies — Known vulnerable packages, insecure configurations
- General Security — Insecure crypto, race conditions, information disclosure, missing input validation
Severity Levels
| Level | Description |
|---|---|
critical | Actively exploitable, high impact vulnerability |
high | Exploitable with moderate effort |
medium | Potential vulnerability, needs review |
low | Minor security concern |
info | Security-related observation |
Usage
[[triggers]]
name = "Security Review"
event = "pull_request"
actions = ["opened", "synchronize"]
skill = "security-review"# Run security review on uncommitted changes
npx warden --skill security-review
# Run on specific files
npx warden src/auth.ts --skill security-reviewcode-simplifier
Identifies opportunities to reduce code complexity. This skill analyzes diffs for patterns that could be simplified, refactored, or made more readable.
What It Checks
- Nested Logic — Deeply nested conditionals, complex ternaries, callback pyramids
- Redundant Code — Duplicate logic, unnecessary null checks, dead code
- Long Functions — Functions that do too much, hard to test or maintain
- Complex Expressions — Hard-to-read boolean logic, magic numbers, unclear naming
- Modern Patterns — Opportunities to use optional chaining, nullish coalescing, destructuring
Severity Levels
| Level | Description |
|---|---|
high | Significant complexity that hurts maintainability |
medium | Moderate complexity worth addressing |
low | Minor improvements for readability |
info | Style suggestions |
Usage
[[triggers]]
name = "Code Simplifier"
event = "pull_request"
actions = ["opened", "synchronize"]
skill = "code-simplifier"# Run code simplifier on uncommitted changes
npx warden --skill code-simplifier
# Run and auto-fix suggestions
npx warden --skill code-simplifier --fixCustom Skills
Define your own skills in .warden/skills/ as TOML files.
Skill Definition
name = "code-review"
description = "General code quality review"
prompt = """
You are a code reviewer. Analyze the pull request for:
- Code clarity and readability
- Potential bugs or logic errors
- Performance concerns
- Best practices violations
Provide constructive feedback with specific suggestions.
"""
[tools]
allowed = ["Read", "Grep", "Glob"]
denied = ["Write", "Edit", "Bash"]Skill Fields
| Field | Required | Description |
|---|---|---|
name | Yes | Unique identifier (kebab-case) |
description | Yes | Human-readable purpose |
prompt | Yes | System instructions for the agent |
tools.allowed | No | Tools the skill can use |
tools.denied | No | Tools the skill cannot use |
Available Tools
Skills can use Claude Code's built-in tools:
| Tool | Description |
|---|---|
Read | Read file contents |
Grep | Search file contents with regex |
Glob | Find files by pattern |
WebFetch | Fetch content from URLs (e.g., CVE databases) |
Write | Write files (usually denied for review skills) |
Edit | Edit files (usually denied for review skills) |
Bash | Run shell commands (usually denied for security) |
Using Custom Skills
Reference your custom skill by name in triggers:
[[triggers]]
name = "Code Review"
event = "pull_request"
actions = ["opened"]
skill = "code-review" # Matches .warden/skills/code-review.tomlOutput Format
Skills return findings in a structured format. Each finding includes:
- Severity — How serious the issue is
- Title — Brief description of the issue
- Description — Detailed explanation
- Location — File path and line numbers
- Suggested Fix — Optional code suggestion
Warden translates these findings into GitHub PR reviews with inline comments on the relevant lines.