Six phases of prompts to make AI find (and disprove) its own bugs

What it does

This repository is a set of prompts, schemas, and orchestration rules that turns a coding agent into a structured security auditor. It guides parallel sub-agents through reconnaissance, vulnerability hunting, adversarial validation, and machine-readable reporting. The goal is exploitable findings with concrete attack scenarios, not theoretical checklist deviations.

The interesting bit

The clever part is the adversarial structure: agents that find bugs are not the agents that validate them. A separate validation phase tries to disprove every finding, and a final verification phase sends fresh agents to check factual claims against the source code. It is essentially a prompt-engineered peer-review system for automated code review.

Key highlights

• Six-phase pipeline: recon, hunt, validate, report, structure, and independently verify.
• findings.json output conforms to a strict JSON schema and is validated by a zero-dependency Node.js script.
• Multiple runs against the same repository are additive; the skill reads prior results to skip known issues and target gaps.
• Design rules are opinionated: defense-in-depth gaps are hardening notes, not vulnerabilities, and severity requires real impact.
• Single runs find roughly half the total vulnerabilities; coverage improves with repeated audits.

Caveats

• Requires a coding agent with tool use and parallel sub-agent support; this is not a standalone scanner.
• A single pass is intentionally incomplete, so you need multiple runs for broad coverage.
• Node.js is required only for the final schema validation step.

Verdict

Worth a look if you are building AI-driven security tooling or want to harden a codebase with agentic audits. Skip it if you need a traditional, deterministic static analysis tool that runs without a model backend.