Fetching from the wire…
Public story · 2026-07-16 · high
The MIT-licensed tool pulled 2,538 GitHub stars in four weeks and works with any coding agent that can run parallel subagents.
Why now: Cloudflare's security-audit-skill crossed 2,538 GitHub stars in the four weeks since its June 18 release.
Cloudflare open-sourced a security-audit skill that turns a coding agent into a multi-phase auditor. Its core rule: the agent that finds a bug is never the agent that confirms it.
The stakes go beyond vulnerability scanning. Any team running agents unsupervised has hit the same failure: an agent reports a task done without actually checking it worked.
The skill runs six phases in sequence: recon, hunt, validate, report, structured output, and independent verification. The hunt phase sends parallel agents across separate vulnerability categories, then a different set of agents tries to disprove each finding.
Findings come out as JSON, checked against a report-schema.json file by a zero-dependency Node validator. The skill is agent-agnostic, needing only a model with tool use and the ability to run parallel subagents, per the repo.
The adversarial split is the part worth copying elsewhere. Adversarial verification means a separate process checks a claim instead of trusting the one who made it. It applies anywhere an agent self-reports success: code review, data pipelines, test suites. For context, a related tool, GitHub's Agentic Autofix, already runs an explore-fix-verify loop before opening a PR. An independent verification step is a small addition from there.
The repo doesn't say how verifying agents get picked, whether it's random assignment or a deliberate cut from the original hunt's context. That's what decides whether the adversarial step is real independence or a second look with the same blind spots.
Each link below shares sources, entities, or timing with this story.
Cloudflare supports MCP / Shared entities / Same source domain / Earlier coverage
Linked by a graph relationship (Cloudflare supports MCP); both cover Cloudflare, GitHub; reported by the same outlet (github.com).
Cloudflare released VibeSDK / Shared entities / Same source domain / Earlier coverage
Linked by a graph relationship (Cloudflare released VibeSDK); both cover Cloudflare, GitHub; reported by the same outlet (github.com).
Cloudflare released AI Gateway / Shared entities / Same source domain / Earlier coverage
Linked by a graph relationship (Cloudflare released AI Gateway); both cover Cloudflare, GitHub; reported by the same outlet (github.com).
Cloudflare supports MCP / Shared entities / Same source domain / Earlier coverage
Linked by a graph relationship (Cloudflare supports MCP); both cover Cloudflare, GitHub; reported by the same outlet (github.com).
Cloudflare supports MCP / Shared entity: GitHub / Same source domain / Earlier coverage / Tension
Linked by a graph relationship (Cloudflare supports MCP); both cover GitHub; reported by the same outlet (github.com).
Cursor partners with Cloudflare / Shared entity: GitHub / Same source domain / Earlier coverage / Tension
Linked by a graph relationship (Cursor partners with Cloudflare); both cover GitHub; reported by the same outlet (github.com).
Cloudflare released VibeSDK / Shared entities / Earlier coverage
Linked by a graph relationship (Cloudflare released VibeSDK); both cover Cloudflare, GitHub; earlier Cloudflare coverage from 2026-04-29.
Cursor partners with Cloudflare / Shared entity: GitHub / Same source domain / Earlier coverage / Tension
Linked by a graph relationship (Cursor partners with Cloudflare); both cover GitHub; reported by the same outlet (github.com).