A coding-agent skill that turns your agent into a security auditor. It orchestrates multiple parallel agents through a six-phase pipeline -- recon, hunting, validation, reporting, structured output, and independent verification -- to find exploitable vulnerabilities with real impact.
This is the skill that seeded Cloudflare's vulnerability discovery harness, described in Build your own vulnerability harness. The harness grew into a multi-stage, fleet-wide system; this skill is the single-repo starting point it evolved from.
The skill runs a structured audit in six phases:
architecture.md.REPORT.md (human-readable) and FINDINGS-DETAIL.md (detailed traces for MEDIUM+ findings).findings.json conforming to report-schema.json, validated by validate-findings.cjs.Multiple runs against the same repo are additive. Each run explores different code paths; the skill reads prior findings.json files to skip known issues and target gaps.
| File | Purpose |
|---|---|
SKILL.md |
Setup, core principles, platform terminology, workflow overview, and audit anti-patterns |
RECONNAISSANCE.md |
Phase 1 reconnaissance prompts and synthesis instructions |
HUNTING.md |
Phase 2 orchestration, hunting methodology, and validation rules |
ATTACK-CLASSES.md |
Core, wildcard, and obvious-things attack prompts |
MEMORY-SAFETY-AND-BINARY.md |
Memory-safety, binary, and kernel hunting classes for native targets |
AI-AND-LLM.md |
Prompt-injection, agent/tool, and output-handling hunting classes for LLM-backed targets |
WEB-PROTOCOL-AND-AUTH.md |
HTTP request-framing, cache, and authentication-protocol hunting classes for HTTP-protocol and auth targets |
CLIENT-SIDE.md |
DOM-injection, messaging-trust, UI-redress, and prototype-pollution hunting classes for client-side/browser targets |
VALIDATION-AND-REPORTING.md |
Phases 3–6 validation, reporting, and verification |
report-schema.json |
JSON schema for findings.json (confirmed and rejected finding structures) |
validate-findings.cjs |
Zero-dependency Node.js validator that checks findings.json against the schema |
Install the skill with the Skills CLI:
npx skills add https://github.com/cloudflare/security-audit-skill \
--skill security-audit
Use --global for a user-level installation:
npx skills add https://github.com/cloudflare/security-audit-skill \
--skill security-audit \
--global
Run npx skills --help for agent-selection and non-interactive options.
Start your coding agent in (or pointed at) the codebase you want to audit, then ask it to do a security audit:
security audit this codebase
find security vulnerabilities in ./src
do a security review, output to ~/audits/my-project
The skill activates automatically when the request matches its trigger (security audit, find vulnerabilities, pen-test the code, etc.). It will ask for an output directory if you don't specify one, defaulting to ~/security-audit-skill/<repo-name>/run-<N>.
validate-findings.cjs schema validation in Phase 5)Questions, feedback, or comparing notes on AI-driven security tooling: security-ai-research@cloudflare.com
MIT -- see LICENSE.
$ claude mcp add security-audit-skill \
-- python -m otcore.mcp_server <graph>