Skip to main content
Run any Skill in Manus
with one click
GitHub repository

agents

agents contains 11 collected skills from scanner-inc, with repository-level occupation coverage and site-owned skill detail pages.

skills collected
11
Stars
2
updated
2026-06-11
Forks
0
Occupation coverage
3 occupation categories · 100% classified
repository explorer

Skills in this repository

posture-report
information-security-analysts

Produce a daily Scanner posture report for the analyst's terminal — covers environment, log volume, alert activity (split into actionable / correlation / uncategorized buckets), coverage gaps, and 2-5 specific recommended next moves. Use when the user types `/posture-report`, asks for the "posture report", "daily report", "Scanner digest", "coverage report", "health report", or any variant of "what's our detection coverage looking like". Requires Scanner MCP configured plus SCANNER_API_URL / SCANNER_API_KEY / SCANNER_TENANT_ID env vars for the Detection Rules REST API.

2026-06-11
recommend-detections
information-security-analysts

Produce a prioritised list of concrete, copy-paste-ready detection-engineering recommendations for the user's Scanner tenant — new rules to write, existing rules to tune, correlations to add, and Scanner OOB packs worth enabling. Consumes posture-report output as one input, walks every YAML in `SCANNER_DETECTIONS_DIR` AND pulls the tenant's full rule inventory via the Detection Rule API (catches UI-created rules too), queries `_detections` over 30 days to find noise / co-firing entities, and surfaces installable OOB packs from a hardcoded list of `scanner-inc/detection-rules-<source-type>` repos (no local clone needed). Each recommendation ends with the exact `/write-detection`, `/tune-detection`, or `/write-correlation` invocation needed to act on it. Read-only — writes nothing. Use when the user types `/recommend-detections`, asks "what detections should I add?", "where are my detection gaps?", "what should I be alerting on?", or "give me detection engineering ideas for this tenant". Does NOT walk foreign-S

2026-06-11
tune-detection
information-security-analysts

Investigate a noisy Scanner detection rule against real `_detections` data, classify recent firings as false-positive vs true-positive vs unknown, and produce a concrete tuning patch — extra filter clauses, post-aggregation thresholds, dedup windows, or severity downgrades — along with regression tests seeded from the FP events. Validates the tuned rule with `scanner-cli validate` + `run-tests` and backtests the new firing rate. For out-of-the-box rules (which can't be edited in place), recommends the fork-and-disable workflow: clone the OOB YAML into the user's private repo, tune it there, and disable the original in the Scanner UI. Use when the user types `/tune-detection <rule-id-or-name>`, says "this rule is noisy", "reduce false positives on…", or "tune <name>". Requires Scanner MCP, `SCANNER_API_URL` + `SCANNER_API_KEY` for `scanner-cli`, and `SCANNER_DETECTIONS_DIR` (comma-separated paths to local rule repos).

2026-06-11
write-detection
information-security-analysts

Author a new Scanner detection rule (YAML) from a natural-language description of the behaviour you want to catch. Discovers the relevant log-source schema via Scanner MCP, samples real production data to sanity-check the filter, drafts the rule with the proper YAML schema header, writes 2-4 inline unit tests seeded from real events, validates with `scanner-cli validate` + `run-tests`, backtests the full query against historical logs (needle-in-haystack regime can scan months of data), and hands off via the Scanner GitHub-app sync flow. Always writes rules in `Staging` state for first push. Use when the user types `/write-detection`, asks Claude to "write a detection rule for X", "create a Scanner rule that fires when…", or pastes an attacker behaviour and wants to detect it. Requires Scanner MCP configured, `SCANNER_API_URL` + `SCANNER_API_KEY` for `scanner-cli`, and optionally `SCANNER_DETECTIONS_DIR` (comma-separated paths to local rules repos).

2026-06-11
write-vrl
software-developers

Author and test a VRL (Vector Remap Language) program for a Scanner transformation step. Takes sample raw logs (a file in JSON / JSONL / CSV / Parquet / plaintext, or an inline event) plus an objective — normalize to ECS, drop noisy events during ingestion, fan one event into many, parse an embedded string, enrich with derived fields — and produces a VRL program that the user can paste directly into the Scanner UI. Drafts the program, runs it against the sample with `vector vrl`, compares output to the objective, and iterates. Use when the user types `/write-vrl`, asks Claude to "write a VRL program", "make a Scanner transformation", "normalize this log to ECS", "drop these events during ingestion", or pastes/points to a raw log and says they want it transformed.

2026-06-11
investigate
information-security-analysts

Answer a free-form security or detection-engineering question against the user's Scanner tenant using a summarize → plan → execute workflow — restate the question, draft a 3-6 bullet investigation plan grounded in the actual environment schema, then run that plan with Scanner MCP and return a structured finding. Use when the user types `/investigate [question]`, asks an open-ended security question that needs Scanner data ("did anyone exec from a public S3 bucket today?", "are there any failed Okta logins from new countries?", "which rules cover MITRE T1078?"), or asks Claude to "investigate", "look into", or "check on" something in the logs. Requires Scanner MCP configured.

2026-05-20
lookup-ioc
information-security-analysts

Look up an external indicator of compromise (IP, domain, URL, file hash, or CVE) across abuse.ch ThreatFox, AlienVault OTX, and (for IPv4) Feodo Tracker, and return a single merged threat-intel report. Use when a SOC analyst types `/lookup-ioc [indicator]`, when another skill (triage-alert, threat-hunt, investigate) needs to enrich an indicator surfaced during investigation, or when the user asks any free-form variation of "is this IP/domain/hash bad?", "do we have threat intel on X?", or "check this IOC". Requires ABUSECH_AUTH_KEY and OTX_API_KEY in the environment; degrades gracefully if either is missing.

2026-05-20
report-as-html
web-developers

Render a Scanner-style report (terminal markdown + structured data the calling skill already gathered) as a polished, self-contained HTML file ready to open in the browser. Two templates ship — `light-mode` (cream + teal, default for shareable PDFs / printable reports / tickets) and `dark-mode` (Scanner's actual dark-first theme with Inter + Sometype Mono, matches the Scanner app aesthetic). **Not a stand-alone analysis skill — does not generate findings.** Use only as a follow-up step after another skill (`/posture-report`, `/recommend-detections`, `/triage-alert`, `/threat-hunt`, `/investigate`, `/lookup-ioc`) has produced a finished terminal report and the user has answered "yes, render an HTML version." Reads `templates/light-mode.html` or `templates/dark-mode.html` for the skeleton and `references/style-guide.md` + `references/components.md` for the component vocabulary, writes a single self-contained HTML file under `/tmp/`, and (if the user separately says yes) opens it via `open`. Use when the user ty

2026-05-20
threat-hunt
information-security-analysts

Run a proactive threat hunt against historical Scanner logs using fresh threat intelligence. With no argument, picks the most environmentally relevant CVE from CISA KEV and hunts its IOCs across all available log sources. With an argument (CVE id, malware family, threat actor, IOC), hunts that specific topic. Use when the user types `/threat-hunt`, `/threat-hunt [topic]`, or asks Claude to "hunt", "do a threat hunt", "look for evidence of [CVE / malware / actor]", or "sweep logs for [IOC]". Requires Scanner MCP plus optionally OTX_API_KEY and ABUSECH_AUTH_KEY for richer threat-intel.

2026-05-20
triage-alert
information-security-analysts

Look up a Scanner detection alert by id and run a full triage investigation — hypothesis generation, evidence collection from surrounding logs, classification (BENIGN / SUSPICIOUS / MALICIOUS) with confidence, self-critique, and a structured report. Use when the user types `/triage-alert [id]`, pastes a Scanner alert id, or asks Claude to "triage", "investigate", or "look at" a specific alert by id. Requires Scanner MCP configured in Claude Code.

2026-05-20
write-correlation
information-security-analysts

Author a Scanner correlation detection rule — one that fires when multiple other rules co-fire on the same entity (user, IP, host) within a time window. Joins constituent rules via a custom `correlation.<label>` tag (which the skill writes onto each constituent rule's YAML), pivots on an entity column from each rule's `results_table.rows[0].*`, and uses `countdistinct(name)` to count distinct rule names — never the opaque `detection_rule_id`. Falls back to joining by rule `name` when a constituent is an out-of-the-box rule the user can't edit. Verifies the firing rate against `_detections` via Scanner MCP before recommending the user push. Use when the user types `/write-correlation`, asks Claude to "write a correlation rule", or says "alert me when rules X, Y, Z fire on the same user in 10 minutes". Requires Scanner MCP configured, `SCANNER_API_URL` + `SCANNER_API_KEY` for `scanner-cli`, and `SCANNER_DETECTIONS_DIR` (comma-separated paths to local rules repos).

2026-05-20
agents Agent Skills on GitHub | SkillsMP