Claude Skill
cloudflare/security-audit-skill
Cloudflare 的 security-audit-skill 让编码代理能够执行多阶段安全审计,生成独立验证且机器可读的审计结果。
概览
仓库信息
安装这个 Skill
npx skills add https://github.com/cloudflare/security-audit-skill \Registry 信息
项目简介
Cloudflare 开发的一种编码代理技能,用于执行多阶段安全审计,生成独立验证且机器可读的审计结果。
A coding-agent skill for multi-phase security audits with independently verified, machine-readable findings
要点
- 多阶段审计工作流程
- 独立验证的审计结果
- 机器可读的输出格式
- 专为编码代理设计
使用场景
- 自动化安全代码审查
- CI/CD 流水线安全检查
- 第三方代码审计验证
README 摘要
# security-audit A coding-agent skill that turns your agent into a security auditor. It orchestrates multiple parallel agents through a six-phase pipeline -- recon, hunting, validation, reporting, structured output, and independent verification -- to find exploitable vulnerabilities with real impact. This is the skill that seeded Cloudflare's vulnerability discovery harness, described in [Build your own vulnerability harness](https://blog.cloudflare.com/build-your-own-vulnerability-harness). The harness grew into a multi-stage, fleet-wide system; this skill is the single-repo starting point it evolved from. ## What it does The skill runs a structured audit in six phases: 1. **Recon** -- parallel research agents map the application's architecture, trust boundaries, and input surfaces. Produces `architecture.md`. 2. **Hunt** -- parallel general agents attack the codebase from different angles (injection, access control, business logic, cryptography, feature abuse, chained attacks, and a wildcard). Each agent can spawn sub-agents to dig deeper. 3. **Validate** -- separate agents try to *disprove* each finding. Adversarial review kills false positives. 4. **Report** -- produces `REPORT.md` (human-readable) and `FINDINGS-DETAIL.md` (detailed traces for MEDIUM+ findings). 5. **Structured output** -- writes `findings.json` conforming to `report-schema.json`, validated by `validate-findings.cjs`. 6. **Independent verification** -- fresh agents verify every factual claim in the structured output against the actual source code. Multiple runs against the same repo are additive. Each run explores different code paths; the skill reads prior `findings.json` files to skip known issues and target gaps. ## Files | File | Purpose | |------|---------| | `SKILL.md` | Setup, core pr
话题
暂无话题