Skip to main content
تشغيل أي مهارة في Manus
بنقرة واحدة
مستودع GitHub

vibe-pentest

يحتوي vibe-pentest على 36 من skills المجمعة من ok-helloworld، مع تغطية مهنية على مستوى المستودع وصفحات skill داخل الموقع.

skills مجمعة
36
Stars
207
محدث
2026-07-08
Forks
22
التغطية المهنية
2 فئات مهنية · 100% مصنفة
مستكشف المستودعات

Skills في هذا المستودع

vibe-pentest
محللو أمن المعلومات

AI 渗透测试:多 Agent 并行架构的 Web 应用渗透测试技能。 流程: 指纹识别 → 后台入口扫描 → API 预扫描 → 浏览器登录提取凭证(可选) → GoSpider 爬虫 → 过滤数据 → 指纹汇总 → 多 Agent 并行渗透测试 → 攻击链分析 → 漏洞证据复查 → 导出 JSON 报告 → 主机漏洞扫描 (可选)。 纯黑盒测试,不依赖源码。平台无关设计,可在任意 Agent 平台创建和使用。

2026-07-08
poc-agent
محللو أمن المعلومات

基于指纹识别结果(tech_stack),优先匹配本地 POC;在用户明确授权时补充联网搜索 POC,并通过 http_test.py 验证已知漏洞。 工作流程:读取指纹识别结果 → 提取关键字搜索本地与联网 POC → 整理待验证清单 → 解析 POC 定义 → 构造 http_test.py 命令 → 评估匹配器 → 回填 findings。

2026-07-08
auth-agent
محللو أمن المعلومات

负责认证与会话类漏洞检测:认证绕过/暴力破解/会话管理/JWT/OAuth/SAML/ 密码重置绕过/验证码绕过/不安全随机数/用户枚举/OIDC/CSRF。 受控密码测试为条件执行:根据用户授权、测试账号情况、验证码类型和登录保护强度自主决策。

2026-07-02
api-agent
محللو أمن المعلومات

负责 API 安全类漏洞检测:未授权访问/BOLA/BFLA/批量赋值/GraphQL 深度测试/ API 参数篡改/隐藏参数发现/WebSocket 安全/API 版本枚举/ 过度数据暴露

2026-06-24
business-agent
محللو أمن المعلومات

负责业务逻辑漏洞检测:业务流程绕过、状态机缺陷、竞态滥用、价格篡改、 优惠券滥用、库存与数量操纵,以及订单、支付、订阅等场景中的业务规则滥用

2026-06-24
file-agent
محللو أمن المعلومات

负责文件类漏洞检测:路径穿越/LFI/RFI/LFI→RCE、任意文件上传、文件包含、 任意文件下载、Zip Slip、SVG/CSV 注入、PHP Wrapper 利用、PEARCMD RCE、 编辑器路径利用、敏感文件泄露与文件解析链风险。

2026-06-24
injection-agent
محللو أمن المعلومات

负责所有注入类漏洞检测:SQLi/NoSQL/XSS(存储/反射/DOM)/SSRF/XXE/SSTI/RCE/反序列化/CRLF/XSLT/EL/JNDI

2026-06-24
misc-agent
محللو أمن المعلومات

负责外围攻击面与协议边界安全检测:信息泄露/开放重定向/CORS/CSP/安全头/目录索引/子域名接管/401-403绕过/Web缓存欺骗/Clickjacking/Host头攻击

2026-06-24
vuln-analysis-agent
مطوّرو البرمجيات

Vibe Pentest 漏洞综合分析 Agent。固定负责 Phase 5.5 攻击链分析与 Phase 5.6 漏洞证据复查:读取已启用的渗透 Agent 的 findings,输出 attack_chains.json

2026-06-24
business-logic-vulnerabilities
مطوّرو البرمجيات

Business logic vulnerability playbook. Use when reasoning about workflows, race conditions, price manipulation, coupon abuse, state machines, and multi-step authorization gaps.

2026-06-24
cmdi-command-injection
مطوّرو البرمجيات

Command injection playbook. Use when user input may reach shell commands, process execution, converters, import pipelines, or blind out-of-band command sinks.

2026-06-24
file-access-vuln
مطوّرو البرمجيات

Entry P1 category router for file access and upload workflows. Use when testing download endpoints, file paths, local file inclusion, upload flows, preview pipelines, archive extraction, or storage and sharing boundaries.

2026-06-24
ghost-bits-cast-attack
مطوّرو البرمجيات

Java "Ghost Bits" / Cast Attack playbook (Black Hat Asia 2026). Use when attacking Java services where 16-bit char is silently narrowed to 8-bit byte to bypass WAF/IDS for SQL injection, deserialization RCE, file upload (Webshell), path traversal, CRLF injection, request smuggling, and SMTP injection. Affects Tomcat, Spring, Jetty, Undertow, Vert.x, Jackson, Fastjson, Apache Commons BCEL, Apache HttpClient, Angus Mail, JDK HttpServer, Lettuce, Jodd, XMLWriter and re-enables many "patched" CVEs through WAF bypass.

2026-06-24
injection-checking
مطوّرو البرمجيات

Entry P1 category router for injection testing. Use when routing between XSS, SQLi, SSRF, XXE, SSTI, command injection, and NoSQL injection workflows based on how attacker-controlled input is consumed.

2026-06-24
path-traversal-lfi
مطوّرو البرمجيات

Path traversal and LFI playbook. Use when file paths, download endpoints, include operations, archive extraction, or wrapper behavior may expose filesystem control.

2026-06-24
xss-cross-site-scripting
مطوّرو البرمجيات

XSS playbook. Use when user-controlled content reaches HTML, attributes, JavaScript, DOM sinks, uploads, or multi-context rendering paths.

2026-06-24
xxe-xml-external-entity
مطوّرو البرمجيات

XXE playbook. Use when XML, SVG, OOXML, SOAP, or parser-driven imports may resolve external entities, files, or internal network resources.

2026-06-24
deserialization-insecure
محللو أمن المعلومات

Insecure deserialization playbook. Use when Java, PHP, or Python applications deserialize untrusted data via ObjectInputStream, unserialize, pickle, or similar mechanisms that may lead to RCE, file access, or privilege escalation.

2026-06-15
authbypass-authentication-flaws
محللو أمن المعلومات

Authentication bypass testing playbook. Use when assessing login flows, password reset logic, account recovery, MFA bypass, token predictability, brute-force resistance, and session boundary flaws.

2026-06-07
cors-cross-origin-misconfiguration
محللو أمن المعلومات

CORS misconfiguration testing playbook. Use when analyzing cross-origin trust, credentialed browser reads, origin reflection, preflight policy bugs, and browser-based access to authenticated APIs.

2026-06-07
csp-bypass-advanced
محللو أمن المعلومات

Advanced Content Security Policy bypass techniques. Use when XSS or data exfiltration is blocked by CSP and you need to find policy weaknesses, trusted endpoint abuse, nonce leakage, or exfiltration channels that CSP cannot block.

2026-06-07
csrf-cross-site-request-forgery
محللو أمن المعلومات

CSRF testing playbook. Use when reviewing state-changing web flows, anti-CSRF defenses, SameSite behavior, JSON CSRF, login CSRF, and OAuth state handling.

2026-06-07
dangling-markup-injection
محللو أمن المعلومات

Dangling markup injection playbook. Use when HTML injection is possible but JavaScript execution is blocked (CSP, sanitizer strips event handlers, WAF blocks script tags) — exfiltrate CSRF tokens, session data, and page content by injecting unclosed HTML tags that capture subsequent page content.

2026-06-07
dns-rebinding-attacks
محللو أمن المعلومات

DNS rebinding attack playbook. Use when testing applications that trust DNS resolution for origin checks, interact with internal services from browser context, or when SSRF is not possible server-side but the target has client-side fetch/XHR to attacker-controlled domains.

2026-06-07
email-header-injection
محللو أمن المعلومات

Email header injection and spoofing playbook. Use when testing contact forms, email APIs, password reset flows, or any feature that constructs SMTP messages with user-controlled fields. Covers CRLF injection in headers, SPF/DKIM/DMARC bypass, and phishing amplification.

2026-06-07
http-host-header-attacks
محللو أمن المعلومات

HTTP Host header injection and routing abuse playbook. Use when the application trusts the Host header for generating URLs, routing requests, or access control — enabling password reset poisoning, web cache poisoning, SSRF via routing, and virtual host bypass.

2026-06-07
jndi-injection
محللو أمن المعلومات

JNDI injection playbook. Use when Java applications perform JNDI lookups with attacker-controlled names, especially via Log4j2, Spring, or any code path reaching InitialContext.lookup().

2026-06-07
jwt-oauth-token-attacks
محللو أمن المعلومات

JWT and OAuth token attack playbook. Use when validating token trust, signing algorithms, key handling, claim abuse, bearer flows, and OAuth account-binding weaknesses.

2026-06-07
open-redirect
محللو أمن المعلومات

Open redirect playbook. Use when URL parameters, form actions, or JavaScript sinks control navigation targets and may redirect users to attacker-controlled destinations.

2026-06-07
prototype-pollution-advanced
محللو أمن المعلومات

Advanced prototype pollution playbook — server-side RCE, client-side gadgets, filter bypasses, and detection techniques. Companion to ../prototype-pollution/ for basics. Use when you've confirmed pollution and need to escalate to code execution or find framework-specific gadgets.

2026-06-07
request-smuggling
محللو أمن المعلومات

HTTP request smuggling and desynchronization testing. Use when front proxies, CDNs, or load balancers disagree with the origin on message framing (Content-Length vs Transfer-Encoding), on HTTP/2→HTTP/1 translation, or when exploring client-side desync via browser fetch pipelines.

2026-06-07
sqli-sql-injection
محللو أمن المعلومات

SQL injection playbook. Use when input reaches SQL queries, authentication logic, sorting, filtering, reporting, or DB-specific blind and out-of-band execution paths.

2026-06-07
ssrf-server-side-request-forgery
محللو أمن المعلومات

SSRF playbook. Use when the server fetches URLs, resolves hostnames, imports remote content, or can be driven toward internal networks, cloud metadata, or secondary protocols.

2026-06-07
ssti-server-side-template-injection
محللو أمن المعلومات

SSTI playbook. Use when template expressions, server-side rendering, preview features, or templating engines may evaluate attacker-controlled content.

2026-06-07
websocket-security
محللو أمن المعلومات

WebSocket handshake, CSWSH, tooling (wsrepl, ws-harness, Burp), and common flaws. Use when apps use real-time channels, chat, notifications, or WS-backed APIs.

2026-06-07
insecure-source-code-management
محللو أمن المعلومات

Source control and artifact exposure (.git, .svn, .hg, backups, .env). Use when recon finds VCS paths, 403 on hidden dirs, or backup/config leaks during authorized testing.

2026-06-05