Skip to main content
Run any Skill in Manus
with one click
catpilotai
GitHub creator profile

catpilotai

Repository-level view of 10 collected skills across 1 GitHub repositories.

skills collected
10
repositories
1
updated
2026-05-17
repository map

Where the skills live

Top repositories by collected skill count, with their share of this creator catalog and occupation spread.

repository explorer

Repositories and representative skills

catpilot-security-core
information-security-analysts

Catpilot's universal AI-coding-agent security baseline. Always-on guardrails across nine components: cloud CLI mutations, database state changes, local CLI destruction, Docker container builds, hardcoded secrets, secrets management, supply-chain integrity, PII / test-data hygiene, and language-agnostic secure-coding patterns (SQL injection, command injection, XSS, path traversal, insecure deserialization, eval-class APIs, SSRF). Apply on every code generation, file write, and shell command. Born from real production incidents.

2026-05-17
language-baseline
information-security-analysts

Block the language-agnostic classes of injection and arbitrary-code-execution failures — SQL via string concatenation, command injection via shell-true subprocess calls, XSS via `innerHTML`/`document.write`, path traversal via unvalidated filenames, insecure deserialization (`pickle`, unsafe `yaml.load`, PHP `unserialize`, Java `ObjectInputStream`, Ruby `Marshal`), dynamic code execution (`eval`, `Function`, `setTimeout(string)`), TypeScript `as any` escape hatches, and SSRF via unvalidated outbound URLs.

2026-05-17
pii-and-test-data
information-security-analysts

Block real customer data from appearing in test fixtures, code comments, documentation, debug output, or shared transcripts. Require synthetic generators (`faker`, `@faker-js/faker`, provider test cards), reserved test ranges (555 phone numbers, `@example.com` emails, RFC 5737 IPs), and redaction of PII/PHI/PCI from logs and error messages. Refuse to copy production rows into development environments under any framing.

2026-05-17
supply-chain
information-security-analysts

Block typosquats, unpinned dependencies, floating GitHub Actions tags, `curl | bash` installs, unverified agent skills/MCP servers, and post-install scripts from unknown publishers before they reach a developer machine, a CI runner, or a production image. Require lockfile-based installs, SHA-pinned third-party actions, registry-namespace verification, and provenance checks (Sigstore, npm provenance, GitHub attestations) for any code that will run.

2026-05-17
secrets-management
information-security-analysts

Govern how secrets are stored, scoped, distributed, rotated, and surfaced to running code — never committed `.env` files, never echoed in CI logs, never embedded in URLs or error messages, never shared across environments. Complements `secret-blocking` (which detects hardcoded patterns at write time) by enforcing the lifecycle around already-secured secrets — `.gitignore` hygiene, CI log redaction, vault-backed access, scoped credentials per environment, and a documented response when exposure happens.

2026-05-17
docker-safety
network-and-computer-systems-administrators

Block container runtime escape paths, root-by-default images, build-time secrets baked into layers, and supply-chain risks from floating base tags before they reach a registry or a host. Require non-root `USER`, digest-pinned base images, BuildKit secret mounts (never `ENV`/`ARG` for secrets), `--no-install-recommends` + cache cleanup, and refuse `--privileged`, `--net=host`, `--pid=host`, host root bind-mounts, and `chmod 777` inside containers.

2026-05-17
local-cli-safety
information-security-analysts

Block irreversible filesystem operations, history-destroying git commands on shared branches, network exposure to non-loopback interfaces, world-readable credential paths, and credential exfiltration patterns before they run on a developer or CI machine. Covers `rm`/`find -delete`/`dd`/`chmod -R`, `git push --force`/`reset --hard`/`clean -fd` on protected branches, `--bind 0.0.0.0` services, and patterns that pipe `~/.ssh`, `~/.aws`, or environment variables into external requests.

2026-05-17
database-safety
database-architects

Require preview-before-modify, row-count disclosure, transactional execution, and rollback preparation before any SQL or ORM operation that mutates data or schema. Block destructive statements without a WHERE clause, schema drops without confirmation, prod migrations without dry-run, and raw string interpolation into queries. Covers PostgreSQL, MySQL, SQL Server, SQLite, and ORM equivalents.

2026-05-16
Showing top 8 of 10 collected skills in this repository.
Showing 1 of 1 repositories
All repositories loaded