تشغيل أي مهارة في Manus بنقرة واحدة

ابدأ الآن

$pwd:

security-scan

Name: Security Scan
Author: PacificStudio

// Review trust boundaries, auth, input handling, secrets, and dependency risk before release.

تشغيل في Manus

$ git log --oneline --stat

stars:٢٤٦

forks:٢٢

updated:١٥ أبريل ٢٠٢٦ في ٠٤:٥٢

SKILL.md

readonly

name	security-scan
description	Review trust boundaries, auth, input handling, secrets, and dependency risk before release.

Security Scan

Overview

Conduct a security-focused review of the code or change set. Map trust boundaries first, then inspect how untrusted input, credentials, permissions, dependencies, and deployment defaults are handled.

When To Use

After adding or changing authentication or authorization logic.
After adding new API endpoints, uploads, background jobs, or external integrations.
Before production deployment.
When the change handles untrusted input, secrets, tokens, files, or network calls.
When the user explicitly requests a security review or audit.

Review Workflow

Map the attack surface.
- Entry points, user-controlled input, file access, network access, storage boundaries, and privileged operations.
Review authentication and authorization.
- Authentication bypasses.
- Missing authorization checks.
- Confused trust boundaries between user, service, and admin actions.
Review input handling and injection surfaces.
- SQL, NoSQL, shell, template, and path injection.
- XSS and unsafe HTML rendering.
- SSRF, open redirects, and unsafe outbound requests.
Review secrets and cryptography.
- Hardcoded keys, tokens, passwords, or connection strings.
- Weak password hashing or unsafe token generation.
- Sensitive data exposure in logs, errors, or client payloads.
Review dependency and configuration risk.
- Known vulnerable dependencies.
- Overly permissive defaults.
- Missing secure headers, unsafe CORS, or weak production settings.
Review detection and recovery.
- Are important security-relevant failures logged?
- Would an operator be able to detect abuse or investigate an incident?
Report severity-rated findings with remediation guidance.
- CRITICAL: exploitable issue or active secret exposure; block deployment.
- HIGH: serious vulnerability or major trust-boundary weakness; fix before release.
- MEDIUM: meaningful hardening gap or partial control failure.
- LOW: defense-in-depth improvement or cleanup.

Security Checklist

Authentication and authorization boundaries are explicit and enforced.
Untrusted input is validated, normalized, and escaped at the correct boundary.
Queries and commands are parameterized and never built from raw user input.
Secrets are not stored in source, test fixtures, logs, or client-visible responses.
File and network access respect allowlists and path or host validation where appropriate.
Dependency versions and deployment defaults do not introduce known high-risk vulnerabilities.

Operating Rules

Think in trust boundaries and attacker-controlled inputs, not only code style.
Prefer reproducible exploit paths over vague warnings.
Name the impacted asset or permission boundary for every serious finding.
Include a practical remediation path, not just the vulnerability label.
If no critical issues are found, still call out hardening gaps and any unreviewed surfaces.

Default Deliverable Shape

Return these sections:

Attack Surface
Findings - ordered by severity with file and line references where possible.
Exploit Path / Impact - why each important issue matters.
Remediation - concrete fixes and safer patterns.
Residual Risks - remaining uncertainty or unreviewed areas.

related-skills.json

نفس المستودع

deploy-coolify-review-env.md

from "PacificStudio/openase"

Create or update a branch-scoped Coolify review environment with one command, and delete it with one command. Use when a ticket must deploy a preview before human review, while keeping the workflow simple and fast.

2026-05-29246

workflow-authoring.md

from "PacificStudio/openase"

Write workflow harness files that define role, status semantics, feedback loops, and durable delivery rules for disposable ticket workspaces.

2026-04-16246

deep-interview.md

from "PacificStudio/openase"

Clarify ambiguous requests with a focused, Socratic interview before planning or implementation.

2026-04-15246

review-code.md

from "PacificStudio/openase"

Review behavior, risk, performance, and test coverage before style nits.

2026-04-15246

task-breakdown.md

from "PacificStudio/openase"

Turn a clarified spec into milestone-oriented tickets, dependency edges, and stage-gated delivery lanes.

2026-04-15246

openase-platform.md

from "PacificStudio/openase"

Platform operations for tickets, projects, and runtime coordination inside OpenASE.

2026-04-12246

package.json

"author": "PacificStudio"

"repository": "PacificStudio/openase"

فتح مستودع GitHub عرض مستودعات المنشئ

$ install --global

$ download --local

تشغيل في Manus

$ useful --forSOC

محللو أمن المعلوماتمهن الحاسوب والرياضيات15-1212L4

Security Scan

Overview

Conduct a security-focused review of the code or change set. Map trust boundaries first, then inspect how untrusted input, credentials, permissions, dependencies, and deployment defaults are handled.

When To Use

After adding or changing authentication or authorization logic.

After adding new API endpoints, uploads, background jobs, or external integrations.

Before production deployment.

When the change handles untrusted input, secrets, tokens, files, or network calls.

When the user explicitly requests a security review or audit.

Review Workflow

Map the attack surface.

Entry points, user-controlled input, file access, network access, storage boundaries, and privileged operations.

Review authentication and authorization.

Authentication bypasses.
Missing authorization checks.
Confused trust boundaries between user, service, and admin actions.

Review input handling and injection surfaces.

SQL, NoSQL, shell, template, and path injection.
XSS and unsafe HTML rendering.
SSRF, open redirects, and unsafe outbound requests.

Review secrets and cryptography.

Hardcoded keys, tokens, passwords, or connection strings.
Weak password hashing or unsafe token generation.
Sensitive data exposure in logs, errors, or client payloads.

Review dependency and configuration risk.

Known vulnerable dependencies.
Overly permissive defaults.
Missing secure headers, unsafe CORS, or weak production settings.

Review detection and recovery.

Are important security-relevant failures logged?
Would an operator be able to detect abuse or investigate an incident?

Report severity-rated findings with remediation guidance.

CRITICAL: exploitable issue or active secret exposure; block deployment.
HIGH: serious vulnerability or major trust-boundary weakness; fix before release.
MEDIUM: meaningful hardening gap or partial control failure.
LOW: defense-in-depth improvement or cleanup.

Security Checklist

Authentication and authorization boundaries are explicit and enforced.

Untrusted input is validated, normalized, and escaped at the correct boundary.

Queries and commands are parameterized and never built from raw user input.

Secrets are not stored in source, test fixtures, logs, or client-visible responses.

File and network access respect allowlists and path or host validation where appropriate.

Dependency versions and deployment defaults do not introduce known high-risk vulnerabilities.

Operating Rules

Think in trust boundaries and attacker-controlled inputs, not only code style.

Prefer reproducible exploit paths over vague warnings.

Name the impacted asset or permission boundary for every serious finding.

Include a practical remediation path, not just the vulnerability label.

If no critical issues are found, still call out hardening gaps and any unreviewed surfaces.

Default Deliverable Shape

Return these sections:

Attack Surface

Findings - ordered by severity with file and line references where possible.

Exploit Path / Impact - why each important issue matters.

Remediation - concrete fixes and safer patterns.

Residual Risks - remaining uncertainty or unreviewed areas.

security-scan

Security Scan

Overview

When To Use

Review Workflow

Security Checklist

Operating Rules

Default Deliverable Shape

المزيد من هذا المستودع

المزيد من هذا المستودع

Security Scan

Overview

When To Use

Review Workflow

Security Checklist

Operating Rules

Default Deliverable Shape