تشغيل أي مهارة في Manus بنقرة واحدة

amend-skill

Inspects a skill's SKILL.md and its observations/runs.md log, identifies failure patterns, and proposes a targeted amendment to improve the skill. Trigger on: "improve this skill", "fix this skill", "update this skill", "why does X keep failing", "this skill is wrong", "add this to the skill", or automatically when observations/<skill-name>/runs.md contains 3 or more failure entries. Outputs the amendment as a diff the user can review before applying. Records the amendment rationale in observations/<skill-name>/runs.md after user confirmation.

تشغيل في Manus

النجوم٤

التفرعات١

آخر تحديث١٤ مارس ٢٠٢٦ في ١٣:١٧

المصدر

securityfortech

securityfortech/hacking-skills

فتح مستودع GitHub عرض مستودعات المنشئ

أمر التثبيت

تنزيل

تشغيل في Manus

مفيد لـSOC

مطوّرو البرمجياتمهن الحاسوب والرياضيات15-1252L4

SKILL.md

readonly

name	amend-skill
description	Inspects a skill's SKILL.md and its observations/runs.md log, identifies failure patterns, and proposes a targeted amendment to improve the skill. Trigger on: "improve this skill", "fix this skill", "update this skill", "why does X keep failing", "this skill is wrong", "add this to the skill", or automatically when observations/<skill-name>/runs.md contains 3 or more failure entries. Outputs the amendment as a diff the user can review before applying. Records the amendment rationale in observations/<skill-name>/runs.md after user confirmation.
license	MIT
compatibility	Designed for Claude Code. No external tools required.
metadata	{"category":"meta","version":"0.1","source":"original","source_types":"original"}

Amend Skill

Purpose

Skills degrade over time as targets change, new bypass techniques emerge, and failure patterns accumulate. This skill closes the feedback loop: it reads execution history, identifies what is systematically failing, and proposes a minimal surgical amendment to the skill.

Trigger Conditions

Activate this skill when:

User says "improve this skill", "fix this skill", "update this skill", "amend this skill"
User says "why does X keep failing" where X is a skill name
User says "add this to the skill" after describing a new technique that worked
observations/<skill-name>/runs.md contains 3 or more entries with outcome: fail

Methodology

Identify the target skill — confirm the skill name with the user if ambiguous.
Read the skill — load skills/<bucket>/<category>/<skill-name>/SKILL.md in full.
Read the observations — load observations/<skill-name>/runs.md.
Analyze failure patterns:
- Which steps consistently fail?
- Which payloads are blocked or produce wrong output?
- Which trigger conditions are missing or too broad?
- Are there new bypass techniques that worked but aren't documented?
- Is the output format causing downstream confusion?
Formulate a single targeted amendment — one focused change rather than a full rewrite. The amendment should be one of:
- Tighten trigger: remove or refine a trigger condition that causes false activation
- Add missing condition: add a step, payload, or bypass that is now needed
- Reorder steps: move a high-value step earlier to avoid wasted time
- Fix payload: update an outdated payload that no longer works
- Change output format: restructure how the skill presents findings
Output the amendment as a unified diff — show old text and proposed new text side by side.
Ask for confirmation — do not apply until the user approves.
Apply and record — edit the SKILL.md, then append to observations/<skill-name>/runs.md:

---
date: YYYY-MM-DD
skill: <skill-name>
task: Amendment applied via amend-skill
outcome: amendment
what_worked: |
  <describe what the amendment changes and why>
what_failed: |
  <describe the failure pattern that motivated the amendment>
errors: |
  N/A
notes: |
  Amendment type: <tighten-trigger | add-condition | reorder-steps | fix-payload | change-output>
  Rationale: <one-sentence reason>
---

Example Interaction

User: "why does sql-injection keep failing on this target?"

Process:

Read skills/owasp-wstg/injection/sql-injection/SKILL.md
Read observations/sql-injection/runs.md — finds 3 fail entries, all noting WAF blocking ' and --
Analysis: Bypass section exists but WAF-specific encoding variants not prominent enough in step 2
Amendment: Move WAF bypass step earlier in Methodology, add a WAF detection pre-step

Output:

-2. Submit `'`, `"`, `;`, `--`, `/* */` individually and observe response differences.
-3. Confirm with boolean pair: append `AND 1=1--` (true) vs `AND 1=2--` (false).
+2. Check for WAF: submit `'` and observe whether the response is a WAF block page (uniform
+   error regardless of input) vs. a database error (input-specific). If WAF present, use
+   encoding variants from the Bypass Techniques section before confirming injection.
+3. Submit `'`, `"`, `;`, `--`, `/* */` individually. If WAF present, substitute with
+   `%27`, `%2D%2D`, and comment fragmentation `UN/**/ION`.
+4. Confirm with boolean pair: `AND 1=1--` vs `AND 1=2--`.

Fix Patterns

This is a meta-skill — it has no fix patterns of its own. Its output is an amendment to another skill's fix patterns.

المزيد من هذا المستودع

نفس المستودع

distill-skill

securityfortech/hacking-skills

Use when the user wants to extract reusable offensive security knowledge from any source and generate a SKILL.md file. Trigger on: "distill this", "extract skill from", "turn this into a skill", "generate skill from", "convert this report/blog/book/walkthrough into a skill", or when the user pastes raw security content (bug report, pentest report, CTF writeup, blog post, ezine, book chapter) and wants it transformed into structured hunting methodology.

2026-03-144

bola-idor

securityfortech/hacking-skills

Use when hunting Broken Object Level Authorization (BOLA) or Insecure Direct Object Reference (IDOR) vulnerabilities in APIs or web applications. Trigger on: "BOLA", "IDOR", "broken object level", "access other users", "object reference", numeric or UUID IDs in URLs or request bodies, user-scoped resources, horizontal privilege escalation, "change the ID in the request", second-order IDOR, blind IDOR, indirect reference, encoded ID, deprecated API version, JSON globbing.

2026-03-144

cicd-bot-command-injection

securityfortech/hacking-skills

Use when hunting CI/CD bot comment command vulnerabilities where issue_comment or pull_request_review_comment triggers invoke privileged workflows without verifying the commenter's identity or authorization. Trigger on: "bot command injection", "issue_comment trigger", "@github-actions", "slash command CI", "CI bot command", "comment triggered workflow", "unauthenticated bot", "github-actions publish", "comment dispatch", no authorization check on workflow_dispatch from comment, chatops CI/CD, supply chain via PR comment.

2026-03-144

github-actions-cache-poisoning

securityfortech/hacking-skills

Use when hunting GitHub Actions cache poisoning vulnerabilities where an attacker can inject malicious content into the CI/CD cache and have it restored by a privileged downstream workflow. Trigger on: "cache poisoning", "actions/cache", "actions/setup-node", "node_modules cache", "GitHub Actions cache", "pnpm cache", "LRU eviction", "10GB limit", "Cacheract", "poisoned cache", "workflow cache attack", supply chain via CI cache, "ng-renovate", "cache stuffing", scheduled workflow cache restore, shared cache key, "hashFiles package.json", cross-workflow cache, PR workflow release workflow same key, "npm install prefer-offline", Cacheract, Gato-X, supply chain npm token.

2026-03-144

github-actions-script-injection

securityfortech/hacking-skills

Use when auditing GitHub Actions workflows for script injection vulnerabilities via unsanitized context expressions. Trigger on: "github actions injection", "workflow injection", "head_ref injection", "github context injection", "pwn request", "github.head_ref", "github.event.pull_request.title", "github.event.issue.body", pull_request_target workflows, run: steps interpolating GitHub context variables, CI/CD script injection, GitHub Actions security audit.

2026-03-144

pwn-request

securityfortech/hacking-skills

Use when hunting Pwn Request vulnerabilities where pull_request_target workflows checkout attacker-controlled PR code and execute it in a privileged context with access to repository secrets. Trigger on: "pwn request", "pull_request_target", "checkout PR head", "npm install in CI", "lifecycle scripts in CI", "preinstall script", "postinstall script", "package.json scripts CI", "npm ci ignore-scripts false", "actions/checkout ref pull request head sha", privileged workflow running PR code, "Gato-X", supply chain via PR lifecycle scripts.

2026-03-144

Amend Skill

Purpose

Trigger Conditions

Activate this skill when:

User says "improve this skill", "fix this skill", "update this skill", "amend this skill"

User says "why does X keep failing" where X is a skill name

User says "add this to the skill" after describing a new technique that worked

observations/<skill-name>/runs.md contains 3 or more entries with outcome: fail

Methodology

Identify the target skill — confirm the skill name with the user if ambiguous.

Read the skill — load skills/<bucket>/<category>/<skill-name>/SKILL.md in full.

Read the observations — load observations/<skill-name>/runs.md.

Analyze failure patterns:

Which steps consistently fail?
Which payloads are blocked or produce wrong output?
Which trigger conditions are missing or too broad?
Are there new bypass techniques that worked but aren't documented?
Is the output format causing downstream confusion?

Formulate a single targeted amendment — one focused change rather than a full rewrite. The amendment should be one of:

Tighten trigger: remove or refine a trigger condition that causes false activation
Add missing condition: add a step, payload, or bypass that is now needed
Reorder steps: move a high-value step earlier to avoid wasted time
Fix payload: update an outdated payload that no longer works
Change output format: restructure how the skill presents findings

Output the amendment as a unified diff — show old text and proposed new text side by side.

Ask for confirmation — do not apply until the user approves.

Apply and record — edit the SKILL.md, then append to observations/<skill-name>/runs.md:

--- date: YYYY-MM-DD skill: <skill-name> task: Amendment applied via amend-skill outcome: amendment what_worked: | <describe what the amendment changes and why> what_failed: | <describe the failure pattern that motivated the amendment> errors: | N/A notes: | Amendment type: <tighten-trigger | add-condition | reorder-steps | fix-payload | change-output> Rationale: <one-sentence reason> ---

Example Interaction

User: "why does sql-injection keep failing on this target?"

Process:

Read skills/owasp-wstg/injection/sql-injection/SKILL.md

Read observations/sql-injection/runs.md — finds 3 fail entries, all noting WAF blocking ' and --

Analysis: Bypass section exists but WAF-specific encoding variants not prominent enough in step 2

Amendment: Move WAF bypass step earlier in Methodology, add a WAF detection pre-step

Output:

-2. Submit `'`, `"`, `;`, `--`, `/* */` individually and observe response differences. -3. Confirm with boolean pair: append `AND 1=1--` (true) vs `AND 1=2--` (false). +2. Check for WAF: submit `'` and observe whether the response is a WAF block page (uniform + error regardless of input) vs. a database error (input-specific). If WAF present, use + encoding variants from the Bypass Techniques section before confirming injection. +3. Submit `'`, `"`, `;`, `--`, `/* */` individually. If WAF present, substitute with + `%27`, `%2D%2D`, and comment fragmentation `UN/**/ION`. +4. Confirm with boolean pair: `AND 1=1--` vs `AND 1=2--`.

Fix Patterns

This is a meta-skill — it has no fix patterns of its own. Its output is an amendment to another skill's fix patterns.