Cloudflare Ships a Security Audit Skill Where the Agent That Finds a Bug Is Never the One That Confirms It
cloudflare/security-audit-skill (MIT) turns a coding agent into a multi-phase security auditor and has pulled 2,538 stars since 2026-06-18. Its six-phase kill chain — recon, hunt, validate, report, structured output, independent verification — fans parallel agents across vulnerability categories, then deliberately assigns *different* agents to disprove each finding, enforcing the rule that 'the agent that checks a finding is never the agent that found it.' Findings emit as JSON validated against report-schema.json by a zero-dependency Node validator. It's agent-agnostic, requiring only a model with tool use and parallel subagents. The adversarial-verification pattern is the transferable idea here, not the security domain.
Source
↳ Follow the thread