تشغيل أي مهارة في Manus بنقرة واحدة

$pwd:

ghost-proxy

Name: Ghost Proxy
Author: ghostsecurity

// Starts and controls the reaper MITM proxy to capture, inspect, search, and replay HTTP/HTTPS traffic between clients and servers. Capabilities include starting/stopping the proxy scoped to specific domains, viewing captured request/response logs, searching traffic by method/path/status/host, and inspecting full raw HTTP entries for security analysis. Use when the user asks to "start the proxy", "capture traffic", "intercept requests", "inspect HTTP traffic", "search captured requests", or "view request/response".

تشغيل في Manus

$ git log --oneline --stat

stars:٣٨٢

forks:٢٦

updated:١٧ فبراير ٢٠٢٦ في ٢٠:٣٥

SKILL.md

readonly

name	ghost-proxy
description	Starts and controls the reaper MITM proxy to capture, inspect, search, and replay HTTP/HTTPS traffic between clients and servers. Capabilities include starting/stopping the proxy scoped to specific domains, viewing captured request/response logs, searching traffic by method/path/status/host, and inspecting full raw HTTP entries for security analysis. Use when the user asks to "start the proxy", "capture traffic", "intercept requests", "inspect HTTP traffic", "search captured requests", or "view request/response".
license	apache-2.0
metadata	{"version":"1.1.0"}

Reaper MITM Proxy

Reaper is a CLI-based MITM HTTPS proxy for application security testing. It intercepts, logs, and allows inspection of HTTP/HTTPS traffic flowing through it. Use it to capture live request/response pairs for security validation.

Prerequisites

Before using any reaper command, make sure the latest version of the binary is installed:

curl -sfL https://raw.githubusercontent.com/ghostsecurity/reaper/main/scripts/install.sh | bash

All reaper commands in this document should be invoked as ~/.ghost/bin/reaper unless ~/.ghost/bin is on PATH.

Quick Reference

Command	Purpose
`reaper start --domains example.com`	Start proxy (foreground)
`reaper start --domains example.com -d`	Start proxy (daemon)
`reaper logs`	Show recent captured entries
`reaper search --method POST --path /api/*`	Search captured traffic
`reaper get <id>`	Show full request + response
`reaper req <id>`	Show raw HTTP request only
`reaper res <id>`	Show raw HTTP response only
`reaper stop`	Stop the daemon

Starting the Proxy

Start reaper scoped to the target domain(s). At least one --domains or --hosts flag is required.

# Intercept all traffic to example.com and its subdomains
reaper start --domains example.com

# Multiple domains
reaper start --domains example.com,api.internal.co

# Exact hostname matching
reaper start --hosts api.example.com

# Both domain suffix and exact host matching
reaper start --domains example.com --hosts special.internal.co

# Custom port (default: 8443)
reaper start --domains example.com --port 9090

# Run as background daemon
reaper start --domains example.com -d

Scope behavior:

--domains: Suffix match. example.com matches example.com, api.example.com, sub.api.example.com
--hosts: Exact match. api.example.com matches only api.example.com
Traffic outside scope passes through transparently without logging

Routing Traffic Through the Proxy

Configure the HTTP client to use the proxy. The default listen address is localhost:8443.

# curl
curl -x http://localhost:8443 -k https://api.example.com/endpoint

# Environment variables (works with many tools)
export http_proxy=http://localhost:8443
export https_proxy=http://localhost:8443

# Python requests
import requests
requests.get("https://api.example.com/endpoint",
             proxies={"http": "http://localhost:8443", "https": "http://localhost:8443"},
             verify=False)

The -k / verify=False flag is needed because reaper generates its own CA certificate at startup for MITM TLS interception.

Viewing Captured Traffic

Searching

# By HTTP method
reaper search --method POST

# By host (supports * wildcard)
reaper search --host *.api.example.com

# By domain suffix
reaper search --domains example.com

# By path prefix (supports * wildcard)
reaper search --path /api/v3/transfer

# By status code
reaper search --status 200

# Combined filters
reaper search --method POST --path /api/v3/* --status 200 -n 50

Inspecting Individual Entries

# Full request and response (raw HTTP)
reaper get 42

# Request only
reaper req 42

# Response only
reaper res 42

Output is raw HTTP/1.1 format including headers and body, suitable for analysis or replay.

Stopping the Proxy

reaper stop

Common Workflows

Validate a Security Finding

When used with the validate skill (may need to collaborate with the user to setup the test environment):

Start reaper scoped to the application domain
Verify traffic is being captured by running reaper logs — at least one entry should appear after routing a test request through the proxy
If no entries appear, verify proxy settings and domain scope match the target
Authenticate (or ask the user to authenticate) as a normal user and exercise the vulnerable endpoint legitimately
Search for the captured request to understand the expected request format
Craft and send a malicious request that exercises the exploit described in the finding
Inspect the response to determine if the exploit succeeded
Use reaper get <id> to capture the full request/response as evidence

Data Storage

All data is stored in ~/.reaper/:

reaper.db - SQLite database with captured entries
reaper.sock - Unix socket for CLI-to-daemon IPC
reaper.pid - Daemon process ID

The CA certificate is generated fresh in memory on each start and is not persisted.

related-skills.json

نفس المستودع

ghost-scan-code.md

from "ghostsecurity/skills"

Ghost Security - SAST code scanner. Finds security vulnerabilities in source code by planning and executing targeted scans for issues like SQL injection, XSS, BOLA, BFLA, SSRF, and other OWASP categories. Supports applications (backend, frontend, mobile) and libraries (prototype pollution, unsafe deserialization, ReDoS, path traversal, zip slip). Use when the user asks for a code security audit, SAST scan, vulnerability scan of source code, or wants to find security flaws in a codebase or library.

2026-03-11382

ghost-repo-context.md

from "ghostsecurity/skills"

Scans directory structure, detects projects, maps dependencies, and documents code organization into a repo.md file. Use when the user needs a codebase overview, project structure map, or repository context before security analysis.

2026-02-25382

ghost-report.md

from "ghostsecurity/skills"

Ghost Security — combined security report. Aggregates findings from all scan skills (scan-deps, scan-secrets, scan-code) into a single prioritized report focused on the highest risk, highest confidence issues. Use when the user requests a security overview, vulnerability summary, full security audit, or combined scan results.

2026-02-17382

ghost-scan-deps.md

from "ghostsecurity/skills"

Ghost Security - Software Composition Analysis (SCA) scanner. Scans dependency lockfiles for known vulnerabilities, identifies CVEs, and generates findings with severity levels and remediation guidance. Use when the user asks about dependency vulnerabilities, vulnerable packages, CVE checks, security audits of dependencies, or wants to scan lockfiles like package-lock.json, yarn.lock, go.sum, or Gemfile.lock.

2026-02-17382

ghost-scan-secrets.md

from "ghostsecurity/skills"

Ghost Security - Secrets and credentials scanner. Scans codebase for leaked API keys, tokens, passwords, and sensitive data. Detects hardcoded secrets and generates findings with severity and remediation guidance. Use when the user asks to check for leaked secrets, scan for credentials, find hardcoded API keys or passwords, detect exposed .env values, or audit code for sensitive data exposure.

2026-02-17382

ghost-validate.md

from "ghostsecurity/skills"

This skill should be used when the user asks to "validate a finding", "check if a vulnerability is real", "triage a security finding", "confirm a vulnerability", "determine if a finding is a true positive or false positive", or provides a security finding for review. It validates security vulnerability findings by tracing data flows, verifying exploit conditions, analyzing security controls, and optionally testing attack vectors against a live application.

2026-02-17382

package.json

"author": "ghostsecurity"

"repository": "ghostsecurity/skills"

فتح مستودع GitHub عرض مستودعات المنشئ

$ install --global

$ download --local

تشغيل في Manus

$ useful --forSOC

محللو أمن المعلوماتمهن الحاسوب والرياضيات15-1212L4

name	ghost-proxy
description	Starts and controls the reaper MITM proxy to capture, inspect, search, and replay HTTP/HTTPS traffic between clients and servers. Capabilities include starting/stopping the proxy scoped to specific domains, viewing captured request/response logs, searching traffic by method/path/status/host, and inspecting full raw HTTP entries for security analysis. Use when the user asks to "start the proxy", "capture traffic", "intercept requests", "inspect HTTP traffic", "search captured requests", or "view request/response".
license	apache-2.0
metadata	{"version":"1.1.0"}

Reaper MITM Proxy

Prerequisites

Before using any reaper command, make sure the latest version of the binary is installed:

curl -sfL https://raw.githubusercontent.com/ghostsecurity/reaper/main/scripts/install.sh | bash

All reaper commands in this document should be invoked as ~/.ghost/bin/reaper unless ~/.ghost/bin is on PATH.

Quick Reference

Command	Purpose
`reaper start --domains example.com`	Start proxy (foreground)
`reaper start --domains example.com -d`	Start proxy (daemon)
`reaper logs`	Show recent captured entries
`reaper search --method POST --path /api/*`	Search captured traffic
`reaper get <id>`	Show full request + response
`reaper req <id>`	Show raw HTTP request only
`reaper res <id>`	Show raw HTTP response only
`reaper stop`	Stop the daemon

Starting the Proxy

Start reaper scoped to the target domain(s). At least one --domains or --hosts flag is required.

# Intercept all traffic to example.com and its subdomains
reaper start --domains example.com

# Multiple domains
reaper start --domains example.com,api.internal.co

# Exact hostname matching
reaper start --hosts api.example.com

# Both domain suffix and exact host matching
reaper start --domains example.com --hosts special.internal.co

# Custom port (default: 8443)
reaper start --domains example.com --port 9090

# Run as background daemon
reaper start --domains example.com -d

Scope behavior:

--domains: Suffix match. example.com matches example.com, api.example.com, sub.api.example.com
--hosts: Exact match. api.example.com matches only api.example.com
Traffic outside scope passes through transparently without logging

Routing Traffic Through the Proxy

Configure the HTTP client to use the proxy. The default listen address is localhost:8443.

# curl
curl -x http://localhost:8443 -k https://api.example.com/endpoint

# Environment variables (works with many tools)
export http_proxy=http://localhost:8443
export https_proxy=http://localhost:8443

# Python requests
import requests
requests.get("https://api.example.com/endpoint",
             proxies={"http": "http://localhost:8443", "https": "http://localhost:8443"},
             verify=False)

The -k / verify=False flag is needed because reaper generates its own CA certificate at startup for MITM TLS interception.

Viewing Captured Traffic

Searching

# By HTTP method
reaper search --method POST

# By host (supports * wildcard)
reaper search --host *.api.example.com

# By domain suffix
reaper search --domains example.com

# By path prefix (supports * wildcard)
reaper search --path /api/v3/transfer

# By status code
reaper search --status 200

# Combined filters
reaper search --method POST --path /api/v3/* --status 200 -n 50

Inspecting Individual Entries

# Full request and response (raw HTTP)
reaper get 42

# Request only
reaper req 42

# Response only
reaper res 42

Output is raw HTTP/1.1 format including headers and body, suitable for analysis or replay.

Stopping the Proxy

reaper stop

Common Workflows

Validate a Security Finding

When used with the validate skill (may need to collaborate with the user to setup the test environment):

Start reaper scoped to the application domain
Verify traffic is being captured by running reaper logs — at least one entry should appear after routing a test request through the proxy
If no entries appear, verify proxy settings and domain scope match the target
Authenticate (or ask the user to authenticate) as a normal user and exercise the vulnerable endpoint legitimately
Search for the captured request to understand the expected request format
Craft and send a malicious request that exercises the exploit described in the finding
Inspect the response to determine if the exploit succeeded
Use reaper get <id> to capture the full request/response as evidence

Data Storage

All data is stored in ~/.reaper/:

reaper.db - SQLite database with captured entries
reaper.sock - Unix socket for CLI-to-daemon IPC
reaper.pid - Daemon process ID

The CA certificate is generated fresh in memory on each start and is not persisted.

ghost-proxy

Reaper MITM Proxy

Prerequisites

Quick Reference

Starting the Proxy

Routing Traffic Through the Proxy

Viewing Captured Traffic

Recent Entries

Searching

Inspecting Individual Entries

Stopping the Proxy

Common Workflows

Validate a Security Finding

Data Storage

Reaper MITM Proxy

Prerequisites

Quick Reference

Starting the Proxy

Routing Traffic Through the Proxy

Viewing Captured Traffic

Recent Entries

Searching

Inspecting Individual Entries

Stopping the Proxy

Common Workflows

Validate a Security Finding

Data Storage

ghost-proxy

Reaper MITM Proxy

Prerequisites

Quick Reference

Starting the Proxy

Routing Traffic Through the Proxy

Viewing Captured Traffic

Recent Entries

Searching

Inspecting Individual Entries

Stopping the Proxy

Common Workflows

Validate a Security Finding

Data Storage

المزيد من هذا المستودع

Reaper MITM Proxy

Prerequisites

Quick Reference

Starting the Proxy

Routing Traffic Through the Proxy

Viewing Captured Traffic

Recent Entries

Searching

Inspecting Individual Entries

Stopping the Proxy

Common Workflows

Validate a Security Finding

Data Storage

المزيد من هذا المستودع