Open Source Radar
cloudflare/

security-audit-skill

GitHub

A JavaScript MIT-licensed GitHub repo from Cloudflare, offering a multi-phase security-audit coding-agent skill with structured outputs and verification. It includes a six-phase workflow, validation tooling, and a zero-dependency findings validator.

2.6kstars
190forks
2issues
MITlicense
2026since
Star historydaily snapshots by VibeCrowd
Reviewgenerated from repository data · Jul 18, 2026

What it is

A coding-agent skill that turns your agent into a security auditor. It orchestrates multiple parallel agents through a six-phase pipeline -- recon, hunting, validation, reporting, structured output, and independent verification -- to find exploitable vulnerabilities with real impact.

How it works

The skill runs a structured audit in six phases:

  1. Recon -- parallel research agents map the application's architecture, trust boundaries, and input surfaces. Produces architecture.md.
  2. Hunt -- parallel general agents attack the codebase from different angles (injection, access control, business logic, cryptography, feature abuse, chained attacks, and a wildcard). Each agent can spawn sub-agents to dig deeper.
  3. Validate -- separate agents try to disprove each finding. Adversarial review kills false positives.
  4. Report -- produces REPORT.md (human-readable) and FINDINGS-DETAIL.md (detailed traces for MEDIUM+ findings).
  5. Structured output -- writes findings.json conforming to report-schema.json, validated by validate-findings.cjs.
  6. Independent verification -- fresh agents verify every factual claim in the structured output against the actual source code.

Multiple runs against the same repo are additive. Each run explores different code paths; the skill reads prior findings.json files to skip known issues and target gaps.

Getting started

Install the skill with the Skills CLI:

npx skills add https://github.com/cloudflare/security-audit-skill \
  --skill security-audit

Use --global for a user-level installation:

npx skills add https://github.com/cloudflare/security-audit-skill \
  --skill security-audit \
  --global

Run npx skills --help for agent-selection and non-interactive options.

Usage examples:

security audit this codebase
find security vulnerabilities in ./src
do a security review, output to ~/audits/my-project

The skill activates automatically when the request matches its trigger (security audit, find vulnerabilities, pen-test the code, etc.). It will ask for an output directory if you don't specify one, defaulting to ~/security-audit-skill/<repo-name>/run-<N>.

Getting started requirements

  • A coding agent with a model that supports tool use and parallel sub-agents
  • Node.js (for validate-findings.cjs schema validation in Phase 5)

Design principles

  • Only report what you can exploit. Every finding needs a concrete attack scenario, not "an attacker could theoretically..."
  • Adversarial validation. The agent that checks a finding is never the agent that found it.
  • Severity requires impact. Likelihood x impact, not deviation from a checklist.
  • Defense-in-depth gaps are not vulnerabilities. If Layer A prevents the attack, the absence of Layer B is a hardening note.
  • Multiple runs improve coverage. Testing shows a single run finds roughly half the total vulnerabilities across multiple runs.

License

MIT -- see LICENSE.

SharePost on XLinkedIn
All trending reposRevenue-verified startups →