-
Notifications
You must be signed in to change notification settings - Fork 0
Security Audit
RORO edited this page Jul 2, 2026
·
2 revisions
Turns the agent into a security auditor whose job is to find exploitable vulnerabilities with real impact, not theoretical concerns. It orchestrates parallel sub-agents through six phases.

-
Recon: parallel
Exploreagents map architecture, trust boundaries, and input surfaces intoarchitecture.md. -
Hunt: parallel
general-purposeagents attack by class (injection, access control, business logic, cryptography, feature abuse, chained attacks, wildcard, obvious things). Each hunter can spawnExploresub-agents. -
Validate: separate
Exploreagents try to disprove each finding. The agent that validates is never the agent that found it. -
Report: writes
REPORT.mdandFINDINGS-DETAIL.md(traces for MEDIUM and above). -
Structured output: writes
findings.jsonagainstreport-schema.json, checked byvalidate-findings.cjs. - Independent verification: fresh agents recheck every claim against the source.
Severity is likelihood and impact combined.
- CRITICAL: unauthenticated RCE, full database dump, admin takeover without credentials.
- HIGH: authenticated RCE, SQL injection with data exfiltration, stored XSS for all users, auth bypass, a fully defeated permission boundary.
- MEDIUM: targeted XSS, CSRF with real state change, secret disclosure, limited business-logic bypass.
- LOW: non-secret info disclosure, DoS needing sustained effort, hardening gaps.
- Only report what you can exploit. Every finding needs a concrete attack.
- Defense-in-depth gaps are hardening notes, not vulnerabilities.
- Kill false positives hard, but do not kill real findings.
- Multiple runs improve coverage. A single run finds about half of what several runs find.
SKILL.md, RECONNAISSANCE.md, HUNTING.md, ATTACK-CLASSES.md, VALIDATION-AND-REPORTING.md, report-schema.json, validate-findings.cjs.
Based on Cloudflare's security-audit-skill.