Improving Your Code with Skills: Security and Accessibility Audits in Practice Cornell University developers built custom AI Skills for security and accessibility audits, using parallel sub-agents to scan entire codebases for vulnerabilities and compliance issues. The security audit, developed with security expert Derek Parsons, covers five domains and produces actionable findings with remediation steps, complementing existing review processes. Improving Your Code with Skills: Security and Accessibility Audits in Practice What Are Skills, and Why Should You Care? As developers we have to do more than just write code. We have to make sure our code is secure, accessible, well-documented, and covered by tests, among many other things that are part of our development workflow. These aren’t optional, but also might slip when a deadline is close or when they are not well planned into it. What if you could hand some of those tasks off to an AI agent that knew exactly what to look for? Skills don’t solve all of that. But they give you a way to make specific tasks more consistent and repeatable. In the context of AI-assisted development, a Skill is a set of structured instructions that guides an AI agent to perform a specific, repeatable task. A Skill can also tell the agent to execute code as part of the process, not just analyze it. The goal is not to replace a human reviewer or a dedicated toolchain, but to give the AI agent the capability to do a focused first pass that reflects the standards Cornell actually cares about. In this post I want to walk through two Skills I built for my development work: a security audit and an accessibility compliance audit. Skills Aren’t New, and That’s the Point Before going further, it’s worth acknowledging that the concept isn’t unique to Cornell. Anthropic ships a security-reviewskill with Claude Code that scans the code changes in a pull request and surfaces issues. Atlassian’s Bitbucket Pipelines has a security scanner for Java code showing how this kind of automation can be wired into a CI/CD workflow. These examples are powerful, but they weren’t built with our compliance requirements or internal policies in mind. That’s the gap a customized Skill is designed to fill. You’re not replacing what already exists; you’re adapting it to your organizational context. A Skill’s value comes from those instructions: the scope, the standards, and the institutional knowledge baked into them, and that’s what gives the AI agent the focus to address your specific needs. And Skills aren’t limited to code. A Skill can teach an AI agent to write in a specific brand tone, follow a document structure to produce standardized outputs like a Statement of Need SoN . The pattern is the same regardless of the domain: structured instructions that shape the agent’s behavior for a specific, repeatable task. The Security Audit Skill The security audit Skill builds on top of Anthropic’s security-review, extending it beyond pull request scanning into a full-project audit mode capable of reviewing an entire codebase in one run. The security domains it covers were shaped in collaboration with Derek Parsons, whose security expertise helped define where the agent should focus. Rather than reading every file linearly, the Skill uses parallel sub-agents, each responsible for a specific security domain and with its own context window for that task. Each sub-agent starts by running targeted searches for the patterns it hunts, and only reads files that have hits. This keeps the scan focused and efficient. A self-review pass runs at the end to catch any findings that weren’t formatted correctly. The five domains the agent covers are: Input Validation Vulnerabilities Authentication and Authorization Issues Crypto and Secrets Management Injection and Code Execution Data Exposure Each finding in the output includes a description of the issue, an exploit scenario, remediation steps, a CWE reference, and a Jira-ready ticket. Developers get something they can act on immediately, not just a list of flags to interpret. A run against two internal applications surfaced dozens of finding covering everything from authentication bypasses and XSS to insecure direct object references and cleartext data transmission. All issues were reviewed, validated, and addressed. The audit works well alongside existing processes, as a complement to code review for catching issues early, or as a periodic deep scan between incremental security reviews. To put those numbers in context: most of these findings require a chain of multiple vulnerabilities to pose a real risk, and existing safeguards like SSO provide additional layers of protection. The audit doesn’t replace those layers or other security approaches. It helps surface issues and gives us an opportunity to make the code better before it becomes a problem. Example demo non-production code To illustrate what the output looks like, here is a simple example using an intentionally vulnerable demo application. The demo code below contains several known vulnerability patterns, each annotated with its CWE reference. This is the kind of code the Skill is designed to catch. ── XSS stored / reflected ────────────────────────────────────────────────── @app.route "/greet" def greet : name = request.args.get "name", "" CWE-79: user input rendered without escaping return render template string f"