Claude Skill

cloudflare/security-audit-skill

Cloudflare's security-audit-skill enables coding agents to perform multi-phase security audits with independently verified, machine-readable findings.

Overview

Stars2,232
Forks157
LanguageJavaScript
Last pushed2026-06-29
Last synced2026-07-03
View on GitHub

Repository

Ownercloudflare
Repositorysecurity-audit-skill
Full namecloudflare/security-audit-skill
Repo ID1,273,427,276

Install this Skill

npx skills add https://github.com/cloudflare/security-audit-skill \

Registry

Typeopenclaw_skill
Quality score70/100
Verificationreadme_parsed
Last verified2026-06-22
Platforms
Claude
Capabilities
memorysearchterminalworkflow
Detected files
README.mdSKILL.md

Summary

A coding-agent skill by Cloudflare for conducting multi-phase security audits that produce independently verified, machine-readable findings.

Chinese description

一种用于多阶段安全审计的编码代理技能,具备独立验证且机器可读的审计结果。

Key features

  • Multi-phase audit workflow
  • Independently verified findings
  • Machine-readable output format
  • Designed for coding agents

Use cases

  • Automated security code review
  • CI/CD pipeline security checks
  • Third-party code audit verification

README excerpt

# security-audit A coding-agent skill that turns your agent into a security auditor. It orchestrates multiple parallel agents through a six-phase pipeline -- recon, hunting, validation, reporting, structured output, and independent verification -- to find exploitable vulnerabilities with real impact. This is the skill that seeded Cloudflare's vulnerability discovery harness, described in [Build your own vulnerability harness](https://blog.cloudflare.com/build-your-own-vulnerability-harness). The harness grew into a multi-stage, fleet-wide system; this skill is the single-repo starting point it evolved from. ## What it does The skill runs a structured audit in six phases: 1. **Recon** -- parallel research agents map the application's architecture, trust boundaries, and input surfaces. Produces `architecture.md`. 2. **Hunt** -- parallel general agents attack the codebase from different angles (injection, access control, business logic, cryptography, feature abuse, chained attacks, and a wildcard). Each agent can spawn sub-agents to dig deeper. 3. **Validate** -- separate agents try to *disprove* each finding. Adversarial review kills false positives. 4. **Report** -- produces `REPORT.md` (human-readable) and `FINDINGS-DETAIL.md` (detailed traces for MEDIUM+ findings). 5. **Structured output** -- writes `findings.json` conforming to `report-schema.json`, validated by `validate-findings.cjs`. 6. **Independent verification** -- fresh agents verify every factual claim in the structured output against the actual source code. Multiple runs against the same repo are additive. Each run explores different code paths; the skill reads prior `findings.json` files to skip known issues and target gaps. ## Files | File | Purpose | |------|---------| | `SKILL.md` | Setup, core pr

Topics

No topics yet.

Explore more

Data from GitHub. Synced on 2026-07-03