The simple call of "pkg audit" fails because it tries to download a list of known vulnerabilities and uses a path by default that is only available read-only here. However, this path can be overridden when calling it.

With the following call

 pkg audit -F -f /tmp/audit.txt

the file with the security vulnerabilities is saved as /tmp/audit.txt, whereby the name and path are of course freely selectable, as long as the target directory exists and is writable.

The -F parameter causes any existing file to be ignored and the list to be retrieved again; it makes sense to throw the file away after use.