Built-in skills
Qodex ships with skills for the most common testing and review jobs. The coordinator chooses from these skills based on what you ask it to do. You usually do not need to pick a skill manually. Ask for the outcome you want, such as “test my checkout API” or “create UI tests for login”, and Qodex routes the work.Shipped skills
| Skill | What it does | When Qodex uses it |
|---|---|---|
setup | Saves environments, credentials, base URLs, and API keys. | During onboarding or when you provide new configuration. |
auth | Discovers API login flows and saves reusable auth profiles. | When Qodex needs credentials before testing protected endpoints. |
analyze | Summarizes an imported API collection. | After OpenAPI or Postman import. |
explore | Crawls a web app and builds a page, form, endpoint, and artifact catalog. | Before UI scenario authoring or when the page catalog is stale. |
api | Tests API endpoints, creates passing scenarios, and reports real API bugs. | API testing prompts and endpoint-focused requests. |
api-author | Authors API scenarios for a focused endpoint group. | Spawned by api during parallel scenario creation. |
ui | Plans UI testing work and coordinates browser-driven scenario authoring. | UI flow testing prompts. |
ui-author | Drives one UI scenario end to end in the browser. | Spawned by ui for individual flows. |
security | Checks OWASP-style security issues and files confirmed vulnerabilities. | Security scan, OWASP, IDOR, headers, or access-control prompts. |
pentest | Runs more active exploitation-style testing with strict safety limits. | Pentest or “try to break in” prompts. |
performance | Measures API latency and page Web Vitals baselines. | Performance regression or SLO prompts. |
report | Summarizes a multi-step run into a short report. | At the end of larger agent workflows. |
Orchestrator and author skills
Some skills plan the work. Others do a narrow slice of it.api and ui are orchestrator skills. They understand the full request, split it into smaller pieces, and decide which sub-agents to run.
api-author and ui-author are authoring skills. They are usually spawned by the orchestrator and focus on one scenario or one endpoint group at a time.
This split helps Qodex stay organized during larger runs. The coordinator keeps the main goal in view while sub-agents collect evidence and create scenarios in parallel.
Security and pentest difference
Usesecurity for structured security testing: OWASP checks, access-control probes, headers, and repeatable security scenarios.
Use pentest for deeper, more active testing where Qodex tries to chain behaviors into exploitable paths. Pentest runs have stricter safety rules: no destructive payloads, no real-user PII exfiltration, test accounts only, and bounded request rates.
Performance scope
Theperformance skill measures baselines and regressions. It is not a full load-testing engine.
For APIs, it records latency signals such as p50, p95, p99, and jitter. For pages, it checks Core Web Vitals-style measurements such as FCP, LCP, CLS, and TTI.
Skills on the roadmap
Older internal docs mention skills that are not currently shipped as.skill.md files. The main planned gap is an accessibility skill for axe-core, WCAG checks, contrast, keyboard navigation, screen reader behavior, and responsive zoom.
Current shipped equivalents:
| Older label | Current skill |
|---|---|
functionality | api or ui, depending on the target |
security-tests | security |
penetration-tests | pentest |
vulnerability-tests | security or pentest |
analyze-collection | analyze |
Next steps
The .skill.md format
See how these skills are defined.
Author a skill
Add a project-specific skill.
Distribute a skill
Share a skill with your team.
Skills overview
Learn why skills exist in Qodex.