Skip to main content
Run any Skill in Manus
with one click
GitHub repository

flocks

flocks contains 770 collected skills from AgentFlocks, with repository-level occupation coverage and site-owned skill detail pages.

skills collected
770
Stars
390
updated
2026-06-17
Forks
73
Occupation coverage
8 occupation categories · 100% classified
repository explorer

Skills in this repository

web2cli
software-developers

使用统一的 Web2CLI 流程捕获网站的 XHR/Fetch 请求,并生成可复用的 CLI、Markdown 文档。通过浏览器的 `cdp-direct` 模式复用用户 Chromium 系浏览器登录态与 CDP 能力。适用于复现登录后操作、沉淀接口调用样例,或基于页面操作生成自动化工具时。

2026-06-17
workflow-builder
software-developers

根据自然语言描述生成 flocks 内置工作流(workflow.md, workflow.json)。当用户提出创建/设计/生成/搭建工作流或任何多步骤流程(如告警调查、事件响应、SOP/Runbook 自动化)时使用本 skill。

2026-06-17
workflow-config-guide
software-developers

配置现有 Flocks 工作流的发布、集成、触发器和发布配置模板;本 skill 只定义交互协议,具体配置问题必须来自工作流目录内的 guide.md

2026-06-17
browser-use
software-developers

统一处理浏览器使用任务,支持可见浏览器 CDP 直连、专用 headless CDP、agent-browser。Use when the user asks to browse websites, interact with pages, fill forms, capture screenshots, reuse an existing Chrome/Chromium/Edge login session, work with an already-open browser/sidebar browser, access login-only/internal/dynamic pages, or automate browser actions.

2026-06-10
user-defined-page-builder
web-developers

Guide users to create, develop, hide, or delete user-defined custom pages that appear in the WebUI left navigation under Home, with live preview and no restart required. Also guide development of page-scoped backend APIs through the User Defined Page Backend API Runtime when built-in APIs are insufficient. Trigger when the user asks to create, remove, or delete a custom page, user-defined page, dashboard, navigation tab, integrate custom APIs for a page, or sends messages such as "create a custom page", "delete custom page", "remove user-defined page", "创建自定义页面", "删除自定义页面", "用户自定义页面", "自定义页面", "左侧导航页面", "首页下面的页面", "页面数据来源", "自定义 API", or wants help understanding how custom pages work in Flocks.

2026-06-10
agent-builder
software-developers

Create new sub-agents (subagents) by generating YAML config and prompt files in ~/.flocks/plugins/agents/. The created agent can be delegated to by Rex via delegate_task. Use when the user asks to create, add, or generate a new agent.

2026-05-27
onesec-use
information-security-analysts

用于处理 OneSEC/OneDNS 终端安全平台相关任务,适合通过API或者结合浏览器进行以下任务: 终端安全调查、威胁事件分析、终端告警检索、行为日志排查、IOC 查询、恶意文件分析、DNS 威胁排查、软件与终端资产查询、任务进度查看、审计日志分析、病毒扫描和常见终端处置场景。只要用户提到 OneSEC、微步 EDR等相关操纵需求时,必须先加载本 skill。本 skill 是 OneSEC 平台操作的唯一决策入口:在未阅读本 skill 并完成模式判断前,不要直接调用任何 `onesec_*` tool。

2026-05-27
onesig-use
information-security-analysts

用于处理 OneSIG(安全互联网网关 / Secure Internet Gateway)相关任务,适合通过 API 或者结合浏览器进行以下任务:威胁监控(仪表盘、防护大屏、失陷主机、入站/出站威胁事件、报告管理)、防护策略(全局白/黑名单、多维封锁、IPS、HTTP 黑名单、高危端口防护、API 联动、Syslog 自动封禁、FTP/SFTP 联动)、资产管理、平台管理(告警/审计/用户、HTTPS 解密、网口路由 DNS、HA、OneCC、设备升级与备份、license、MDR、诊断)、登录会话与改密、帮助文档。只要用户提到 OneSIG、SIG、安全互联网网关、微步互联网网关等相关操作时,必须先加载本 skill。本 skill 是 OneSIG 平台操作的唯一决策入口:在未阅读本 skill 并完成模式判断前,不要直接调用任何 `onesig_*` tool。

2026-05-27
qingteng-use
computer-occupations-all-other

用于处理青藤云安全平台相关任务,适合通过API或者结合浏览器进行以下任务:主机资产盘点、进程与账号排查、端口和服务查询、网站与数据库资产分析、可疑操作检测、暴力破解分析、异常登录排查、WebShell 与后门调查、蜜罐结果分析、补丁与漏洞风险检查、弱密码排查、基线任务查看、合规检查、授权管理、系统审计和快速风险体检场景。只要用户提到青藤、青藤云安全、青藤主机安全的相关操作时,必须先加载本 skill。本 skill 是 青藤 平台操作的唯一决策入口:在未阅读本 skill 并完成模式判断前,不要直接调用任何 `qingteng_*` tool。

2026-05-27
sangfor-edr-use
computer-occupations-all-other

用于处理深信服 EDR(终端检测与响应)相关任务,通过浏览器(CDP 直连)进行以下任务:终端状态查询、终端概况统计、失陷设备排查、设备运行状态查看等。只要用户提到 深信服 EDR、EDR、sangfor EDR 等需求时,必须先加载本 skill。本 skill 是 EDR 平台操作的唯一决策入口:在未阅读本 skill 前,不要直接使用 browser-use skill。

2026-05-27
sangfor-xdr-use
computer-occupations-all-other

用于处理深信服 XDR(扩展检测与响应)相关任务,适合通过 API 或者结合浏览器进行以下任务:告警查询与处置、事件调查与响应、脆弱性管理、资产盘点、主机隔离、白名单管理、系统运维状态查看、节点健康监控等。只要用户提到 深信服 XDR、XDR、sangfor XDR 等需求时,必须先加载本 skill。本 skill 是 XDR 平台操作的唯一决策入口:在未阅读本 skill 并完成模式判断前,不要直接调用任何 `sangfor_xdr_*` tool 或使用 browser-use skill。

2026-05-27
skill-builder
computer-occupations-all-other

Create or improve skill. Use when the user asks to create, add, generate, update, refactor, package, or test a skill, convert a repeated workflow into a reusable skill, write a `SKILL.md`, or add `references/`, `scripts/` for a skill.

2026-05-27
skyeye-sensor-use
computer-occupations-all-other

使用天眼 SkyEye Sensor 传感器侧精简 CLI 查询告警列表和告警统计。适用于用户提到"SkyEye Sensor""天眼流量传感器告警"场景。

2026-05-27
skyeye-use
computer-occupations-all-other

用于处理 SkyEye/天眼/网神分析平台相关任务,适合通过API或者结合浏览器进行以下任务:告警列表查询、威胁级别筛选、攻击阶段分析、攻击结果排查、看板统计查看、趋势分析、系统状态查看、告警报告导出、PCAP 下载和样本文件获取等场景。只要用户提到 SkyEye、天眼、网神分析平台的相关操作时,必须先加载本 skill。本 skill 是 天眼 平台操作的唯一决策入口:在未阅读本 skill 并完成模式判断前,不要直接调用任何 `skyeye_*` tool。

2026-05-27
tdp-use
computer-occupations-all-other

用于处理 TDP 威胁检测平台相关任务,适合通过API或者结合浏览器进行以下任务:安全态势查看、告警检索、告警获取、威胁事件调查、受害主机排查、资产风险查询、等场景。只要用户提到需要 打开/操作/获取/浏览 TDP、微步 NDR等需求时,必须先加载本 skill。本 skill 是 TDP 平台操作的唯一决策入口:在未阅读本 skill 并完成模式判断前,不要直接调用任何 `tdp_*` tool。

2026-05-27
tool-builder
computer-occupations-all-other

Creates reusable Flocks tools and API integrations. Supports YAML-HTTP for REST APIs and Python for local utilities, with mandatory verification and smoke testing. All output under ~/.flocks/plugins/tools/. When to use: creating or adding a new Flocks tool, building local utilities such as base64 encode-decode, URL encode-decode, JSON formatting, parsing, hashing, text or file transformation, or integrating an external REST API as a reusable tool. Example requests: "Create a base64 encode/decode tool", "Build a URL encode/decode utility", "Add a JSON formatter tool", "Integrate a REST API as a Flocks tool".

2026-05-20
acquiring-disk-image-with-dd-and-dcfldd
computer-occupations-all-other

Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.

2026-05-05
analyzing-active-directory-acl-abuse
information-security-analysts

Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths

2026-05-05
analyzing-android-malware-with-apktool
information-security-analysts

Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.

2026-05-05
analyzing-api-gateway-access-logs
information-security-analysts

Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass, credential scanning, and injection attempts. Uses pandas for statistical analysis of request patterns and anomaly detection. Use when investigating API abuse or building API-specific threat detection rules.

2026-05-05
analyzing-apt-group-with-mitre-navigator
information-security-analysts

Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.

2026-05-05
analyzing-azure-activity-logs-for-threats
information-security-analysts

Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in Azure environments. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.

2026-05-05
analyzing-bootkit-and-rootkit-samples
information-security-analysts

Analyzes bootkit and advanced rootkit malware that infects the Master Boot Record (MBR), Volume Boot Record (VBR), or UEFI firmware to gain persistence below the operating system. Covers boot sector analysis, UEFI module inspection, and anti-rootkit detection techniques. Activates for requests involving bootkit analysis, MBR malware investigation, UEFI persistence analysis, or pre-OS malware detection.

2026-05-05
analyzing-browser-forensics-with-hindsight
information-security-analysts

Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.

2026-05-05
analyzing-campaign-attribution-evidence
information-security-analysts

Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr

2026-05-05
analyzing-certificate-transparency-for-phishing
information-security-analysts

Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.

2026-05-05
analyzing-cloud-storage-access-patterns
information-security-analysts

Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection.

2026-05-05
analyzing-cobalt-strike-beacon-configuration
information-security-analysts

Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure, malleable profiles, and operator tradecraft.

2026-05-05
analyzing-cobaltstrike-malleable-c2-profiles
information-security-analysts

Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate network detection signatures.

2026-05-05
analyzing-command-and-control-communication
information-security-analysts

Analyzes malware command-and-control (C2) communication protocols to understand beacon patterns, command structures, data encoding, and infrastructure. Covers HTTP, HTTPS, DNS, and custom protocol C2 analysis for detection development and threat intelligence. Activates for requests involving C2 analysis, beacon detection, C2 protocol reverse engineering, or command-and-control infrastructure mapping.

2026-05-05
analyzing-cyber-kill-chain
information-security-analysts

Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify which phases an adversary has completed, where defenses succeeded or failed, and what controls would have interrupted the attack at earlier phases. Use when conducting post-incident analysis, building prevention-focused security controls, or mapping detection gaps to kill chain phases. Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping, or Lockheed Martin kill chain framework.

2026-05-05
analyzing-disk-image-with-autopsy
information-security-analysts

Perform comprehensive forensic analysis of disk images using Autopsy to recover files, examine artifacts, and build investigation timelines.

2026-05-05
analyzing-dns-logs-for-exfiltration
information-security-analysts

Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication, and covert C2 channels using entropy analysis, query volume anomalies, and subdomain length detection in SIEM platforms. Use when SOC teams need to identify DNS-based threats that bypass traditional network security controls.

2026-05-05
analyzing-docker-container-forensics
information-security-analysts

Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to identify malicious activity and evidence.

2026-05-05
analyzing-email-headers-for-phishing-investigation
information-security-analysts

Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation.

2026-05-05
analyzing-ethereum-smart-contract-vulnerabilities
information-security-analysts

Perform static and symbolic analysis of Solidity smart contracts using Slither and Mythril to detect reentrancy, integer overflow, access control, and other vulnerability classes before deployment to Ethereum mainnet.

2026-05-05
analyzing-golang-malware-with-ghidra
information-security-analysts

Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction, and type reconstruction in stripped Go binaries.

2026-05-05
analyzing-heap-spray-exploitation
information-security-analysts

Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns, shellcode landing zones, and suspicious large allocations in process virtual address space.

2026-05-05
analyzing-indicators-of-compromise
information-security-analysts

Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs, and email artifacts to determine maliciousness confidence, campaign attribution, and blocking priority. Use when triaging IOCs from phishing emails, security alerts, or external threat feeds; enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist decisions. Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.

2026-05-05
analyzing-ios-app-security-with-objection
information-security-analysts

Performs runtime mobile security exploration of iOS applications using Objection, a Frida-powered toolkit that enables security testers to interact with app internals without jailbreaking. Use when assessing iOS app security posture, bypassing client-side protections, dumping keychain items, inspecting filesystem storage, and evaluating runtime behavior. Activates for requests involving iOS security testing, Objection runtime analysis, Frida-based iOS assessment, or mobile runtime exploration.

2026-05-05
Showing top 40 of 770 collected skills in this repository.
flocks Agent Skills on GitHub | SkillsMP