تشغيل أي مهارة في Manus بنقرة واحدة

security-audit

النجوم١٣

التفرعات٤

آخر تحديث١٦ أبريل ٢٠٢٦ في ١٤:١٢

Comprehensive OWASP Top 10 security vulnerability scanning and compliance reporting for Drupal and WordPress. Spawns security-specialist for full analysis. Invoke when user runs /audit-security, requests a full security audit, needs OWASP compliance review, or asks for comprehensive vulnerability scanning. Supports --quick, --standard, --comprehensive depth modes and scope/format/severity flags.

التثبيت

التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.

تشغيل في Manus

المصدر

kanopi

kanopi/cms-cultivator

فتح مستودع GitHub عرض مستودعات المنشئ

تنزيل

تشغيل في Manus

المهن ذات الصلةSOC

استنادا إلى تصنيف SOC المهني

محللو أمن المعلوماتمهن الحاسوب والرياضيات·SOC 15-1212

مستكشف الملفات

2 ملفات

SKILL.md

readonly

name	security-audit
description	Comprehensive OWASP Top 10 security vulnerability scanning and compliance reporting for Drupal and WordPress. Spawns security-specialist for full analysis. Invoke when user runs /audit-security, requests a full security audit, needs OWASP compliance review, or asks for comprehensive vulnerability scanning. Supports --quick, --standard, --comprehensive depth modes and scope/format/severity flags.

Security Audit

Comprehensive OWASP Top 10 security vulnerability scanning using the security-specialist agent.

Usage

/audit-security — Full OWASP Top 10 audit (standard depth)
/audit-security --quick --scope=current-pr — Pre-commit security check
/audit-security --comprehensive --format=summary — Pre-release deep audit with executive summary
/audit-security --standard --format=sarif — Security tools integration
/audit-security xss — Legacy focus area (still supported)

Arguments

Depth Modes

--quick — OWASP Top 3 only (~5 min): SQL injection, XSS, auth issues
--standard — OWASP Top 10 (default, ~15 min)
--comprehensive — OWASP Top 10 + CVE scanning + config review (~30 min)

Scope Control

--scope=current-pr — Only files changed in current PR
--scope=user-input — Forms, queries, file uploads, API endpoints
--scope=auth — Authentication/authorization logic
--scope=api — API endpoints and integrations
--scope=module=<name> — Specific module/directory
--scope=file=<path> — Single file
--scope=entire — Full codebase (default)

Output Formats

--format=report — Detailed security report with remediation steps (default)
--format=json — Structured JSON for CI/CD
--format=summary — Executive summary with risk assessment
--format=sarif — SARIF format for security tools integration

Severity Thresholds

--min-severity=high — Only high and critical issues
--min-severity=medium — Medium, high, and critical (default)
--min-severity=low — All findings including informational

Legacy Focus Areas (Still Supported)

injection, xss, csrf, auth, encryption, dependencies

Environment Detection

Tier 1 — Portable (Claude Desktop, Codex, any environment)

When Task() or bash tools are unavailable, perform security analysis directly:

Parse arguments — Determine depth, scope, format, and minimum severity
Identify files to analyze — Use Glob and Grep to find PHP, JS, and template files
Analyze security directly:
- Use Read and Grep to scan for SQL injection patterns (raw queries, string concatenation)
- Check for XSS vulnerabilities (unescaped output, innerHTML, echo without sanitization)
- Review CSRF protection (nonce verification, token validation)
- Check authentication patterns and authorization logic
- Identify hardcoded credentials or secrets in code
- Review CMS-specific patterns (Drupal db_query without placeholders, WordPress $wpdb without prepare())
Generate report — Format findings per requested output format, prioritized Critical → High → Medium → Low
Save report — Write to audit-security-YYYY-MM-DD-HHMM.md and present path to user

Supported checks in Tier 1: code pattern analysis for OWASP Top 10, CMS-specific vulnerability patterns.

Tier 2 — Claude Code Enhanced

When running in Claude Code with Task() available:

Parse arguments — Determine depth, scope, format, and minimum severity
Determine files — For --scope=current-pr:
```
git diff --name-only origin/main...HEAD | grep -E '\.(php|tsx?|jsx?|sql)$'
```
For --scope=user-input: find *Form*.php, *Controller*.php, *API*.php For --scope=auth: find *Auth*.php, *Login*.php, *Permission*.php

Spawn security-specialist:

Task(cms-cultivator:security-specialist:security-specialist,
     prompt="Perform comprehensive OWASP security audit with:
       - Depth mode: {depth}
       - Scope: {scope}
       - Format: {format}
       - Minimum severity: {min_severity}
       - Focus area: {focus or 'complete audit'}
       - Files to analyze: {file_list}
     Scan for OWASP Top 10 vulnerabilities, check input validation and output encoding, analyze authentication/authorization, review CMS-specific security for Drupal and WordPress, and check dependencies for CVEs. Save report to audit-security-YYYY-MM-DD-HHMM.md and present the file path.")

Present results to user with file path

OWASP Top 10 Coverage

A01 Broken Access Control — Permission checks, access control bypass
A02 Cryptographic Failures — Encryption, sensitive data exposure
A03 Injection — SQL, command, LDAP injection
A04 Insecure Design — Architecture-level security issues
A05 Security Misconfiguration — Default configs, unnecessary features
A06 Vulnerable Components — Outdated dependencies with CVEs
A07 Auth Failures — Authentication/session management
A08 Integrity Failures — CI/CD pipeline security
A09 Logging Failures — Insufficient security logging
A10 SSRF — Server-side request forgery

CMS-Specific Checks

Drupal: Form API CSRF tokens, db_query() with placeholders, render API XSS prevention, node access system, permissions.yml review

WordPress: $wpdb->prepare(), nonce verification, capability checks, sanitize_/esc_ usage, wp_verify_nonce(), update_option() security

Related Skills

security-scanner — Quick code-level security checks (auto-activates on "is this secure?")
audit-export — Export findings to CSV for project management tools
audit-report — Generate client-facing executive summary from audit file

المزيد من هذا المستودع

نفس المستودع

pr-review

kanopi/cms-cultivator

Review a pull request or analyze local changes before submitting. Auto-activates when user mentions reviewing a PR, asks for code review, wants to analyze their changes before submitting, or mentions "pr-review self". Invoke when user provides a PR number to review or says "review self", "review my changes", or "pr review". Supports focus areas: code, security, breaking, testing, size, performance.

2026-05-2213

csv-exporter

kanopi/cms-cultivator

Generate properly formatted Teamwork CSV files from Functional Requirements Documents. Converts FRD requirements into CSV backlog with task hierarchy, priorities, story points, and estimated hours. Automatically populates estimated time from story point conversion. Invoke when user asks to "export to CSV", "create Teamwork backlog", or needs project backlog file.

2026-05-1413

teamwork-exporter

kanopi/cms-cultivator

Automatically export audit findings, security issues, performance problems, or accessibility violations to Teamwork tasks when other agents complete their analysis. Converts technical findings into actionable project management tasks with appropriate priorities and templates. Invoke when audit agents finish reports, user says "export to Teamwork", or findings need project tracking.

2026-05-1413

teamwork-integrator

kanopi/cms-cultivator

Automatically look up Teamwork task status, details, or project information when user mentions ticket numbers, asks "what's the status of", or needs quick project context. Performs focused queries without creating or modifying data. Invoke when user asks "status of PROJ-123", "what's in that ticket?", "show me task details", or references Teamwork ticket numbers.

2026-05-1413

teamwork-task-creator

kanopi/cms-cultivator

Automatically create properly formatted Teamwork tasks when user provides task details, mentions creating tickets, or shares work that needs tracking. Performs context-aware template selection and ensures all required sections are included. Invoke when user says "create a task", "make a ticket", "track this work", or provides requirements to document.

2026-05-1413

strategist-site-audit

kanopi/cms-cultivator

Strategist-focused site audit for discovery and pre-discovery. Given a site URL and optional qualitative research data, navigates the site via CoWork, audits against all 21 UX Laws from lawsofux.com, reviews content hierarchy, synthesises qualitative data, runs Lighthouse, and produces two deliverables — a Project Knowledge Summary (Markdown for Claude Desktop Projects) and a polished, iterable HTML Artifact for client sharing. Use when a strategist, UX lead, or PM asks for a discovery audit, UX laws audit, content hierarchy review, pre-discovery site review, "audit this site for strategy", "strategist audit", "UX audit", or pastes a site URL with discovery context. Not for developer audits — use accessibility-audit, performance-audit, or live-site-audit for those.

2026-05-1413

name	security-audit
description	Comprehensive OWASP Top 10 security vulnerability scanning and compliance reporting for Drupal and WordPress. Spawns security-specialist for full analysis. Invoke when user runs /audit-security, requests a full security audit, needs OWASP compliance review, or asks for comprehensive vulnerability scanning. Supports --quick, --standard, --comprehensive depth modes and scope/format/severity flags.

Security Audit

Comprehensive OWASP Top 10 security vulnerability scanning using the security-specialist agent.

Usage

/audit-security — Full OWASP Top 10 audit (standard depth)
/audit-security --quick --scope=current-pr — Pre-commit security check
/audit-security --comprehensive --format=summary — Pre-release deep audit with executive summary
/audit-security --standard --format=sarif — Security tools integration
/audit-security xss — Legacy focus area (still supported)

Arguments

Depth Modes

--quick — OWASP Top 3 only (~5 min): SQL injection, XSS, auth issues
--standard — OWASP Top 10 (default, ~15 min)
--comprehensive — OWASP Top 10 + CVE scanning + config review (~30 min)

Scope Control

--scope=current-pr — Only files changed in current PR
--scope=user-input — Forms, queries, file uploads, API endpoints
--scope=auth — Authentication/authorization logic
--scope=api — API endpoints and integrations
--scope=module=<name> — Specific module/directory
--scope=file=<path> — Single file
--scope=entire — Full codebase (default)

Output Formats

--format=report — Detailed security report with remediation steps (default)
--format=json — Structured JSON for CI/CD
--format=summary — Executive summary with risk assessment
--format=sarif — SARIF format for security tools integration

Severity Thresholds

--min-severity=high — Only high and critical issues
--min-severity=medium — Medium, high, and critical (default)
--min-severity=low — All findings including informational

Legacy Focus Areas (Still Supported)

injection, xss, csrf, auth, encryption, dependencies

Environment Detection

Tier 1 — Portable (Claude Desktop, Codex, any environment)

When Task() or bash tools are unavailable, perform security analysis directly:

Parse arguments — Determine depth, scope, format, and minimum severity
Identify files to analyze — Use Glob and Grep to find PHP, JS, and template files
Analyze security directly:
- Use Read and Grep to scan for SQL injection patterns (raw queries, string concatenation)
- Check for XSS vulnerabilities (unescaped output, innerHTML, echo without sanitization)
- Review CSRF protection (nonce verification, token validation)
- Check authentication patterns and authorization logic
- Identify hardcoded credentials or secrets in code
- Review CMS-specific patterns (Drupal db_query without placeholders, WordPress $wpdb without prepare())
Generate report — Format findings per requested output format, prioritized Critical → High → Medium → Low
Save report — Write to audit-security-YYYY-MM-DD-HHMM.md and present path to user

Supported checks in Tier 1: code pattern analysis for OWASP Top 10, CMS-specific vulnerability patterns.

Tier 2 — Claude Code Enhanced

When running in Claude Code with Task() available:

Parse arguments — Determine depth, scope, format, and minimum severity
Determine files — For --scope=current-pr:
```
git diff --name-only origin/main...HEAD | grep -E '\.(php|tsx?|jsx?|sql)$'
```
For --scope=user-input: find *Form*.php, *Controller*.php, *API*.php For --scope=auth: find *Auth*.php, *Login*.php, *Permission*.php

Spawn security-specialist:

Task(cms-cultivator:security-specialist:security-specialist,
     prompt="Perform comprehensive OWASP security audit with:
       - Depth mode: {depth}
       - Scope: {scope}
       - Format: {format}
       - Minimum severity: {min_severity}
       - Focus area: {focus or 'complete audit'}
       - Files to analyze: {file_list}
     Scan for OWASP Top 10 vulnerabilities, check input validation and output encoding, analyze authentication/authorization, review CMS-specific security for Drupal and WordPress, and check dependencies for CVEs. Save report to audit-security-YYYY-MM-DD-HHMM.md and present the file path.")

Present results to user with file path

OWASP Top 10 Coverage

A01 Broken Access Control — Permission checks, access control bypass
A02 Cryptographic Failures — Encryption, sensitive data exposure
A03 Injection — SQL, command, LDAP injection
A04 Insecure Design — Architecture-level security issues
A05 Security Misconfiguration — Default configs, unnecessary features
A06 Vulnerable Components — Outdated dependencies with CVEs
A07 Auth Failures — Authentication/session management
A08 Integrity Failures — CI/CD pipeline security
A09 Logging Failures — Insufficient security logging
A10 SSRF — Server-side request forgery

CMS-Specific Checks

Drupal: Form API CSRF tokens, db_query() with placeholders, render API XSS prevention, node access system, permissions.yml review

WordPress: $wpdb->prepare(), nonce verification, capability checks, sanitize_/esc_ usage, wp_verify_nonce(), update_option() security

Related Skills

security-scanner — Quick code-level security checks (auto-activates on "is this secure?")
audit-export — Export findings to CSV for project management tools
audit-report — Generate client-facing executive summary from audit file