Ejecuta cualquier Skill en Manus
con un clic

Ejecuta cualquier Skill en Manus con un clic

$pwd:

ghost-validate

Name: Ghost Validate
Author: ghostsecurity

// This skill should be used when the user asks to "validate a finding", "check if a vulnerability is real", "triage a security finding", "confirm a vulnerability", "determine if a finding is a true positive or false positive", or provides a security finding for review. It validates security vulnerability findings by tracing data flows, verifying exploit conditions, analyzing security controls, and optionally testing attack vectors against a live application.

Ejecutar en Manus

$ git log --oneline --stat

stars:382

forks:26

updated:17 de febrero de 2026, 20:35

Explorador de archivos

2 archivos

SKILL.md

readonly

name	ghost-validate
description	This skill should be used when the user asks to "validate a finding", "check if a vulnerability is real", "triage a security finding", "confirm a vulnerability", "determine if a finding is a true positive or false positive", or provides a security finding for review. It validates security vulnerability findings by tracing data flows, verifying exploit conditions, analyzing security controls, and optionally testing attack vectors against a live application.
license	apache-2.0
metadata	{"version":"1.1.0"}

Security Finding Validation

Determine whether a security finding is a true positive or false positive. Produce a determination with supporting evidence.

Input

The user provides a finding as a file path or pasted text. If neither is provided, ask for one.

Extract: vulnerability class, specific claim, affected endpoint, code location, and any existing validation evidence.

Validation Workflow

Step 1: Understand the Finding

Identify:

The vulnerability class (BFLA, BOLA, XSS, SQLi, SSRF, etc.)
The specific claim being made (what authorization check is missing, what input is unsanitized, etc.)
The affected endpoint and HTTP method
The code location

Step 2: Analyze the Source Code

Read the vulnerable file at the specified line number and all supporting files
Trace the request flow from route registration through middleware to the handler
Verify the specific claim — does the code actually lack the described check?
Look for indirect protections (middleware, helpers, ORM constraints) the scanner may have missed
Confirm the vulnerable code path is reachable under the described conditions

Step 3: Live Validation (When Available)

If a live instance of the application is accessible and the vulnerability can be confirmed through live interaction, use the proxy skill to confirm exploitability:

Start reaper proxy scoped to the target domain
Authenticate (or have the user authenticate) as a legitimate user and capture a valid request to the vulnerable endpoint
Replay or modify the request to attempt the exploit described in the finding
Compare the response to expected behavior:
- Does the unauthorized action succeed? (true positive)
- Does the server reject it with 401/403/404? (false positive)
Capture the request/response pair as evidence using reaper get <id>

Step 4: Make Determination

Classify the finding as one of:

True Positive: The vulnerability exists and is exploitable. The code lacks the described protection and the endpoint is reachable.
True Positive (Confirmed): Same as above, plus live testing demonstrated successful exploitation.
False Positive: The vulnerability does not exist. Provide the specific reason (indirect protection found, code path unreachable, etc.).
Inconclusive: Cannot determine without additional information. Specify what is needed.

Step 5: Report

Output a summary in the following format:

Determination: True Positive, False Positive, or Inconclusive
Confidence: High, Medium, or Low
Evidence Summary: Key findings from code review and/or live testing
Code Analysis: Specific lines and logic that support the determination
Live Test Results (if performed): Request/response pairs demonstrating the behavior
Recommendation: Fix if true positive, close if false positive, gather more info if inconclusive

Example:

## Validation Result
- **Determination**: True Positive
- **Confidence**: High
- **Evidence**: Handler at routes/transfers.go:142 queries transfers by ID without checking ownership. No middleware or ORM-level constraint enforces user scoping.
- **Recommendation**: Add ownership check — include user_id in the WHERE clause.

Step 6: Persist Results

If the finding was provided as a file path, ask the user if they would like to append the validation details to the original finding file. If they agree, append a ## Validation section to the file containing the determination, confidence, evidence summary, and recommendation.

Vulnerability Class Reference

See VULNERABILITY_PATTERNS.md in this skill directory for patterns to look for when validating authorization flaws (BFLA/BOLA/IDOR), injection (SQLi/XSS), and authentication flaws.

related-skills.json

mismo repositorio

ghost-scan-code.md

from "ghostsecurity/skills"

Ghost Security - SAST code scanner. Finds security vulnerabilities in source code by planning and executing targeted scans for issues like SQL injection, XSS, BOLA, BFLA, SSRF, and other OWASP categories. Supports applications (backend, frontend, mobile) and libraries (prototype pollution, unsafe deserialization, ReDoS, path traversal, zip slip). Use when the user asks for a code security audit, SAST scan, vulnerability scan of source code, or wants to find security flaws in a codebase or library.

2026-03-11382

ghost-repo-context.md

from "ghostsecurity/skills"

Scans directory structure, detects projects, maps dependencies, and documents code organization into a repo.md file. Use when the user needs a codebase overview, project structure map, or repository context before security analysis.

2026-02-25382

ghost-proxy.md

from "ghostsecurity/skills"

Starts and controls the reaper MITM proxy to capture, inspect, search, and replay HTTP/HTTPS traffic between clients and servers. Capabilities include starting/stopping the proxy scoped to specific domains, viewing captured request/response logs, searching traffic by method/path/status/host, and inspecting full raw HTTP entries for security analysis. Use when the user asks to "start the proxy", "capture traffic", "intercept requests", "inspect HTTP traffic", "search captured requests", or "view request/response".

2026-02-17382

ghost-report.md

from "ghostsecurity/skills"

Ghost Security — combined security report. Aggregates findings from all scan skills (scan-deps, scan-secrets, scan-code) into a single prioritized report focused on the highest risk, highest confidence issues. Use when the user requests a security overview, vulnerability summary, full security audit, or combined scan results.

2026-02-17382

ghost-scan-deps.md

from "ghostsecurity/skills"

Ghost Security - Software Composition Analysis (SCA) scanner. Scans dependency lockfiles for known vulnerabilities, identifies CVEs, and generates findings with severity levels and remediation guidance. Use when the user asks about dependency vulnerabilities, vulnerable packages, CVE checks, security audits of dependencies, or wants to scan lockfiles like package-lock.json, yarn.lock, go.sum, or Gemfile.lock.

2026-02-17382

ghost-scan-secrets.md

from "ghostsecurity/skills"

Ghost Security - Secrets and credentials scanner. Scans codebase for leaked API keys, tokens, passwords, and sensitive data. Detects hardcoded secrets and generates findings with severity and remediation guidance. Use when the user asks to check for leaked secrets, scan for credentials, find hardcoded API keys or passwords, detect exposed .env values, or audit code for sensitive data exposure.

2026-02-17382

package.json

"author": "ghostsecurity"

"repository": "ghostsecurity/skills"

Abrir repositorio de GitHub Ver repositorios del creador

$ install --global

$ download --local

Ejecutar en Manus

$ useful --forSOC

Analistas de seguridad de la informaciónOcupaciones informáticas y matemáticas15-1212L4

name	ghost-validate
description	This skill should be used when the user asks to "validate a finding", "check if a vulnerability is real", "triage a security finding", "confirm a vulnerability", "determine if a finding is a true positive or false positive", or provides a security finding for review. It validates security vulnerability findings by tracing data flows, verifying exploit conditions, analyzing security controls, and optionally testing attack vectors against a live application.
license	apache-2.0
metadata	{"version":"1.1.0"}

Security Finding Validation

Determine whether a security finding is a true positive or false positive. Produce a determination with supporting evidence.

Input

The user provides a finding as a file path or pasted text. If neither is provided, ask for one.

Extract: vulnerability class, specific claim, affected endpoint, code location, and any existing validation evidence.

Validation Workflow

Step 1: Understand the Finding

Identify:

The vulnerability class (BFLA, BOLA, XSS, SQLi, SSRF, etc.)
The specific claim being made (what authorization check is missing, what input is unsanitized, etc.)
The affected endpoint and HTTP method
The code location

Step 2: Analyze the Source Code

Read the vulnerable file at the specified line number and all supporting files
Trace the request flow from route registration through middleware to the handler
Verify the specific claim — does the code actually lack the described check?
Look for indirect protections (middleware, helpers, ORM constraints) the scanner may have missed
Confirm the vulnerable code path is reachable under the described conditions

Step 3: Live Validation (When Available)

If a live instance of the application is accessible and the vulnerability can be confirmed through live interaction, use the proxy skill to confirm exploitability:

Start reaper proxy scoped to the target domain
Authenticate (or have the user authenticate) as a legitimate user and capture a valid request to the vulnerable endpoint
Replay or modify the request to attempt the exploit described in the finding
Compare the response to expected behavior:
- Does the unauthorized action succeed? (true positive)
- Does the server reject it with 401/403/404? (false positive)
Capture the request/response pair as evidence using reaper get <id>

Step 4: Make Determination

Classify the finding as one of:

True Positive: The vulnerability exists and is exploitable. The code lacks the described protection and the endpoint is reachable.
True Positive (Confirmed): Same as above, plus live testing demonstrated successful exploitation.
False Positive: The vulnerability does not exist. Provide the specific reason (indirect protection found, code path unreachable, etc.).
Inconclusive: Cannot determine without additional information. Specify what is needed.

Step 5: Report

Output a summary in the following format:

Determination: True Positive, False Positive, or Inconclusive
Confidence: High, Medium, or Low
Evidence Summary: Key findings from code review and/or live testing
Code Analysis: Specific lines and logic that support the determination
Live Test Results (if performed): Request/response pairs demonstrating the behavior
Recommendation: Fix if true positive, close if false positive, gather more info if inconclusive

Example:

## Validation Result
- **Determination**: True Positive
- **Confidence**: High
- **Evidence**: Handler at routes/transfers.go:142 queries transfers by ID without checking ownership. No middleware or ORM-level constraint enforces user scoping.
- **Recommendation**: Add ownership check — include user_id in the WHERE clause.

Step 6: Persist Results

Vulnerability Class Reference

See VULNERABILITY_PATTERNS.md in this skill directory for patterns to look for when validating authorization flaws (BFLA/BOLA/IDOR), injection (SQLi/XSS), and authentication flaws.

ghost-validate

Security Finding Validation

Input

Validation Workflow

Step 1: Understand the Finding

Step 2: Analyze the Source Code

Step 3: Live Validation (When Available)

Step 4: Make Determination

Step 5: Report

Step 6: Persist Results

Vulnerability Class Reference

Más de este repositorio

Security Finding Validation

Input

Validation Workflow

Step 1: Understand the Finding

Step 2: Analyze the Source Code

Step 3: Live Validation (When Available)

Step 4: Make Determination

Step 5: Report

Step 6: Persist Results

Vulnerability Class Reference

Más de este repositorio