Skills

Skills are reusable instructions that teach Qodex how to handle a specific kind of work. When you ask Qodex to test an API, crawl a UI, check security issues, or write scenarios, the coordinator chooses the skill that best matches the job. The skill gives the agent a focused workflow, a tool set, and rules for what good output looks like.

Why skills matter

Without skills, every agent run would start from a generic prompt. Skills make Qodex behave like a specialist:

API testing skills know how to inspect endpoints, create scenarios, and separate broken tests from real API bugs.
UI testing skills know how to drive the browser, collect artifacts, and save repeatable scenarios.
Security skills know OWASP checks, inverted pass/fail semantics, and evidence rules.
Custom skills let your team encode internal standards without changing Qodex code.

That means the product can adapt to your stack while still keeping testing behavior predictable.

What a skill is

A skill is one .skill.md file. The YAML frontmatter defines the skill id, name, description, allowed tools, iteration limits, and optional sub-agent behavior. The markdown body is the instruction prompt Qodex uses when that skill is active.

---
id: api
name: API Testing
description: Tests API endpoints and creates verified, passing test scenarios.
tools:
  categories: [api, memory, scenario, reporting]
---

# API Testing

Follow this workflow...

You can use the built-in skills as shipped, override one for a project, or add a new skill for your own workflow.

How Qodex uses skills

The coordinator has two ways to use a skill:

Method	What happens	Best for
`invoke_skill`	Adds the skill instructions to the current agent turn.	Focused tasks the coordinator can do directly.
`spawn_subagent`	Starts an isolated sub-agent with the skill and returns a summary.	Parallel work, large scans, or specialized investigation.

For example, the UI skill can split a broad request into smaller flows and spawn ui-author sub-agents to write each scenario. The API skill can do the same with api-author.

What you can customize

You can customize:

The workflow the agent follows.
The tools the agent may call.
The severity rubric used for findings.
Whether the skill can spawn sub-agents.
How many tool-call iterations the skill may spend.
The exact rules the agent must obey before reporting success.

This is useful when your organization has a custom compliance checklist, a proprietary auth flow, a GraphQL or gRPC testing pattern, or a domain-specific definition of severity.

Built-in and project skills

Built-in skills ship with Qodex. Project skills can be added on top. If a project skill uses the same id as a built-in skill, the project version replaces the built-in for that project. There is no merge. Copy the built-in skill first, then edit the parts that should change.

Next steps

The .skill.md format

Learn the fields that define a skill.

Built-in skills

See the skills Qodex ships with today.

Author a skill

Create a skill for your own workflow.

Distribute a skill

Share skills across projects or teams.

Editing and curating memory The .skill.md format

​Skills

​Why skills matter

​What a skill is

​How Qodex uses skills

​What you can customize

​Built-in and project skills

​Next steps