Skip to main content
Run any Skill in Manus
with one click
GitHub repository

ghsa-skill-builder

ghsa-skill-builder contains 28 collected skills from yhy0, with repository-level occupation coverage and site-owned skill detail pages.

skills collected
28
Stars
74
updated
2026-03-14
Forks
11
Occupation coverage
2 occupation categories · 100% classified
repository explorer

Skills in this repository

ghsa-skill-builder
information-security-analysts

Use when building or updating vulnerability pattern Skills from multiple sources: GitHub Security Advisories (GHSA), HackerOne Hacktivity, or NVD. Triggers on keywords: GHSA, CVE, vulnerability skill, vuln pattern, update skills, security advisory, HackerOne, H1, hacktivity, pentest skill, bug bounty, check for updates.

2026-03-14
ghsa-skill-builder
information-security-analysts

Use when building or updating vulnerability pattern Skills from multiple sources: GitHub Security Advisories (GHSA), HackerOne Hacktivity, or NVD. Triggers on keywords: GHSA, CVE, vulnerability skill, vuln pattern, update skills, security advisory, HackerOne, H1, hacktivity, pentest skill, bug bounty, check for updates.

2026-03-14
go-vuln-auth-bypass
information-security-analysts

Use when auditing Go code involving authentication flows, RBAC policies, Kubernetes admission webhooks, JWT/OAuth token validation, or privilege escalation in cloud-native infrastructure. Covers CWE-287/863/269/284/285/862. Keywords: authentication bypass, authorization bypass, RBAC, admission webhook, JWT, OAuth, privilege escalation, Rancher, Kyverno, impersonation, namespace isolation, middleware auth

2026-03-14
go-vuln-crypto-tls
information-security-analysts

Use when auditing Go code involving TLS configuration, certificate validation, JWT token parsing, SAML assertion verification, webhook signature checking, or cryptographic operations. Covers CWE-295/347/345. Keywords: InsecureSkipVerify, TLS, mTLS, certificate validation, JWT algorithm, SAML signature, cosign, sigstore, hmac.Equal, X.509, webhook HMAC

2026-03-14
go-vuln-dos
information-security-analysts

Use when auditing Go code involving goroutine management, channel operations, HTTP request handling, resource allocation, or panic recovery. Covers CWE-400/770/476. Keywords: denial of service, goroutine leak, channel deadlock, panic recover, io.ReadAll, resource exhaustion, OOM, HTTP/2 abuse, protobuf, unbounded allocation, rate limiting

2026-03-14
go-vuln-info-disclosure
information-security-analysts

Use when auditing Go code involving logging, error handling, HTTP response data, Kubernetes Secret management, or credential storage. Covers CWE-200/532/522/312/552. Keywords: information disclosure, credential leak, log exposure, Kubernetes Secret, json tag, struct formatting, error message, stack trace, Rancher, Argo CD, sensitive data

2026-03-14
go-vuln-injection
software-developers

Use when auditing Go code involving OS command execution, SQL queries, template rendering, or child command invocation. Covers CWE-78/89/77/94/88. Keywords: command injection, SQL injection, exec.Command, os/exec, database/sql, text/template, html/template, argument injection, shell injection, Gogs, Grafana, MCP stdio

2026-03-14
go-vuln-path-traversal
software-developers

Use when auditing Go code involving file path operations, archive extraction, symlink handling, container volume mounts, or HTTP file serving. Covers CWE-22/59. Keywords: path traversal, directory traversal, filepath.Join, symlink, archive extraction, zip slip, tar, volume mount, go-git, Helm chart, os.Open, filepath.Clean

2026-03-14
go-vuln-ssrf-requestforgery
software-developers

Use when auditing Go code involving HTTP client requests, webhook callbacks, URL handling, HTML template rendering in Go web frameworks, or CSRF protection. Covers CWE-918/352/79. Keywords: SSRF, server-side request forgery, XSS, cross-site scripting, CSRF, http.Get, http.Client, template.HTML, Gin, Echo, Fiber, webhook, Kyverno, DNS rebinding

2026-03-14
pentest-access-control
information-security-analysts

Use when performing penetration testing targeting access control and privilege escalation vulnerabilities. Keywords: access control, privilege escalation, RBAC bypass, tenant isolation, vertical escalation, horizontal escalation, missing authorization, SAML bypass

2026-03-14
pentest-auth-bypass
information-security-analysts

Use when performing penetration testing targeting authentication bypass vulnerabilities. Keywords: authentication bypass, OTP bypass, 2FA bypass, login bypass, session fixation, default credentials, account takeover, token manipulation

2026-03-14
pentest-business-logic
information-security-analysts

Use when performing penetration testing targeting business logic flaws, denial of service, and race condition vulnerabilities. Keywords: business logic, race condition, TOCTOU, denial of service, ReDoS, resource exhaustion, rate limiting bypass, workflow bypass

2026-03-14
pentest-command-injection
information-security-analysts

Use when performing penetration testing targeting command injection and remote code execution vulnerabilities. Keywords: command injection, OS command injection, RCE, remote code execution, code injection, shell injection, deserialization, Log4Shell

2026-03-14
pentest-deserialization-xxe
information-security-analysts

Use when performing penetration testing targeting deserialization, XXE, and dangerous file upload vulnerabilities. Keywords: deserialization, insecure deserialization, XXE, XML external entities, file upload, unrestricted upload, pickle, Java serialization, gadget chain

2026-03-14
pentest-idor
information-security-analysts

Use when performing penetration testing targeting insecure direct object reference vulnerabilities. Keywords: IDOR, broken object level authorization, BOLA, parameter tampering, horizontal privilege escalation, API authorization, UUID guessing

2026-03-14
pentest-info-disclosure
information-security-analysts

Use when performing penetration testing targeting information disclosure and sensitive data exposure vulnerabilities. Keywords: information disclosure, sensitive data exposure, credential leak, API key exposure, directory listing, error message leakage, debug info, cleartext storage

2026-03-14
pentest-memory-corruption
information-security-analysts

Use when performing penetration testing targeting memory corruption vulnerabilities in native applications. Keywords: buffer overflow, heap overflow, use-after-free, integer overflow, format string, stack overflow, type confusion, out-of-bounds read/write

2026-03-14
pentest-path-traversal
information-security-analysts

Use when performing penetration testing targeting path traversal and file inclusion vulnerabilities. Keywords: path traversal, directory traversal, LFI, RFI, file read, file write, dot-dot-slash, null byte, symlink attack, zip slip

2026-03-14
pentest-request-forgery
information-security-analysts

Use when performing penetration testing targeting request forgery vulnerabilities including CSRF, HTTP request smuggling, and CRLF injection. Keywords: CSRF, cross-site request forgery, HTTP smuggling, request smuggling, CRLF injection, header injection, clickjacking, desync attack

2026-03-14
pentest-sqli
information-security-analysts

Use when performing penetration testing targeting SQL injection vulnerabilities in web applications. Keywords: SQL injection, blind SQLi, union-based, error-based, time-based, second-order injection, ORM injection, parameterized queries bypass

2026-03-14
pentest-ssrf
information-security-analysts

Use when performing penetration testing targeting server-side request forgery vulnerabilities. Keywords: SSRF, server-side request forgery, URL parameter manipulation, internal service access, cloud metadata, blind SSRF, DNS rebinding

2026-03-14
pentest-xss
information-security-analysts

Use when performing penetration testing targeting cross-site scripting vulnerabilities including stored, reflected, and DOM-based XSS. Keywords: XSS, stored XSS, reflected XSS, DOM XSS, content injection, HTML injection, JavaScript injection, CSP bypass

2026-03-14
vuln-patterns-auth-bypass
information-security-analysts

Use when auditing Python code involving authentication flows, permission checks, access control logic, JWT/token validation, decorator-based protection, or SSO/OAuth identity binding. Covers CWE-285/287/863. Keywords: authentication bypass, authorization bypass, access control, permission check, JWT verification, token validation, decorator, middleware auth, privilege escalation, permission_classes, SAML, OpenID

2026-03-14
vuln-patterns-deserialization
information-security-analysts

Use when auditing Python code involving pickle/unpickle, yaml.load, torch.load, joblib.load, shelve, marshal, custom JSON object_hook with importlib, or ZeroMQ recv_pyobj. Covers CWE-502. Keywords: deserialization, pickle, unpickle, yaml.load, torch.load, joblib, shelve, marshal, __reduce__, cloudpickle, dill, safetensors, weights_only, picklescan

2026-03-14
vuln-patterns-injection
information-security-analysts

Use when auditing Python code involving command execution (subprocess, os.system, os.popen), SQL queries (cursor.execute, sqlalchemy.text, ORM .extra/.raw), eval/exec calls, template rendering (Jinja2, Mako SSTI), or expression evaluation. Covers CWE-77/78/89/94/95/917. Keywords: command injection, SQL injection, code injection, eval, exec, template injection, expression language injection, Hydra instantiate, allow_dangerous_code

2026-03-14
vuln-patterns-path-traversal
information-security-analysts

Use when auditing Python code involving file path operations (os.path.join, pathlib), file upload/download, archive extraction (tarfile, zipfile), or file inclusion. Covers CWE-22/23. Keywords: path traversal, directory traversal, zip slip, file upload, file download, extractall, Content-Disposition, secure_filename, session file, symlink, os.path.join absolute path override

2026-03-14
vuln-patterns-ssrf
information-security-analysts

Use when auditing Python code involving HTTP client calls (requests, httpx, urllib, aiohttp), webhook endpoints, proxy forwarding, file/model downloads, or SVG/XML external resource loading. Covers CWE-918. Keywords: SSRF, server-side request forgery, requests.get, urllib, httpx, aiohttp, webhook, proxy, redirect, url fetch, file download, gethostbyname, is_private_url, DNS rebinding, cloud metadata

2026-03-14
vuln-patterns-xss
information-security-analysts

Use when auditing Python web applications involving HTML rendering, template engines (Jinja2, Mako, Django templates), Markdown parsing, DataFrame-to-HTML conversion, or frontend innerHTML assignments. Covers CWE-79. Keywords: XSS, cross-site scripting, HTML injection, mark_safe, |safe, autoescape, bleach, escape, innerHTML, decode_contents, self.write, to_html, format_html

2026-03-14