Claude Skill

cloudflare/security-audit-skill

Cloudflare 的 security-audit-skill 让编码代理能够执行多阶段安全审计,生成独立验证且机器可读的审计结果。

概览

Stars2,237
Forks157
语言JavaScript
最后更新2026-06-29
最近同步2026-07-03
前往 GitHub

仓库信息

拥有者cloudflare
仓库security-audit-skill
完整名称cloudflare/security-audit-skill
Repo ID1,273,427,276

安装这个 Skill

npx skills add https://github.com/cloudflare/security-audit-skill \

Registry 信息

类型openclaw_skill
质量分70/100
验证状态readme_parsed
最近验证2026-06-22
平台
Claude
能力
memorysearchterminalworkflow
识别文件
README.mdSKILL.md

项目简介

Cloudflare 开发的一种编码代理技能,用于执行多阶段安全审计,生成独立验证且机器可读的审计结果。

英文描述

A coding-agent skill for multi-phase security audits with independently verified, machine-readable findings

要点

  • 多阶段审计工作流程
  • 独立验证的审计结果
  • 机器可读的输出格式
  • 专为编码代理设计

使用场景

  • 自动化安全代码审查
  • CI/CD 流水线安全检查
  • 第三方代码审计验证

README 摘要

# security-audit A coding-agent skill that turns your agent into a security auditor. It orchestrates multiple parallel agents through a six-phase pipeline -- recon, hunting, validation, reporting, structured output, and independent verification -- to find exploitable vulnerabilities with real impact. This is the skill that seeded Cloudflare's vulnerability discovery harness, described in [Build your own vulnerability harness](https://blog.cloudflare.com/build-your-own-vulnerability-harness). The harness grew into a multi-stage, fleet-wide system; this skill is the single-repo starting point it evolved from. ## What it does The skill runs a structured audit in six phases: 1. **Recon** -- parallel research agents map the application's architecture, trust boundaries, and input surfaces. Produces `architecture.md`. 2. **Hunt** -- parallel general agents attack the codebase from different angles (injection, access control, business logic, cryptography, feature abuse, chained attacks, and a wildcard). Each agent can spawn sub-agents to dig deeper. 3. **Validate** -- separate agents try to *disprove* each finding. Adversarial review kills false positives. 4. **Report** -- produces `REPORT.md` (human-readable) and `FINDINGS-DETAIL.md` (detailed traces for MEDIUM+ findings). 5. **Structured output** -- writes `findings.json` conforming to `report-schema.json`, validated by `validate-findings.cjs`. 6. **Independent verification** -- fresh agents verify every factual claim in the structured output against the actual source code. Multiple runs against the same repo are additive. Each run explores different code paths; the skill reads prior `findings.json` files to skip known issues and target gaps. ## Files | File | Purpose | |------|---------| | `SKILL.md` | Setup, core pr

话题

暂无话题

探索更多

数据来自 GitHub,同步时间:2026-07-03