Exécutez n'importe quel Skill dans Manus
en un clic

Exécutez n'importe quel Skill dans Manus en un clic

$pwd:

scanning-security

Name: Scanning Security
Author: SocketDev

// Runs a multi-tool security scan: AgentShield for Claude config, zizmor for GitHub Actions, and optionally Socket CLI for dependency scanning. Produces an A-F graded security report. Use after modifying `.claude/` config, hooks, agents, or GitHub Actions workflows, and before releases.

Exécuter dans Manus

$ git log --oneline --stat

stars:0

forks:0

updated:28 mai 2026 à 18:24

SKILL.md

readonly

name	scanning-security
description	Runs a multi-tool security scan: AgentShield for Claude config, zizmor for GitHub Actions, and optionally Socket CLI for dependency scanning. Produces an A-F graded security report. Use after modifying `.claude/` config, hooks, agents, or GitHub Actions workflows, and before releases.

scanning-security

Multi-tool security scanning pipeline for the repository.

When to Use

After modifying .claude/ config, settings, hooks, or agent definitions
After modifying GitHub Actions workflows
Before releases (called as a gate by the release pipeline)
Periodic security hygiene checks

Prerequisites

See _shared/security-tools.md for tool detection and installation.

Process

Phase 1: Environment Check

Follow _shared/env-check.md. Initialize a queue run entry for scanning-security.

Phase 2: AgentShield Scan

Scan Claude Code configuration for security issues:

pnpm exec agentshield scan

Checks .claude/ for:

Hardcoded secrets in CLAUDE.md and settings
Overly permissive tool allow lists (e.g. Bash(*))
Prompt injection patterns in agent definitions
Command injection risks in hooks
Risky MCP server configurations

Capture the grade and findings count.

Update queue: current_phase: agentshield → completed_phases: [env-check, agentshield]

Phase 3: Zizmor Scan

Scan GitHub Actions workflows for security issues.

See _shared/security-tools.md for zizmor detection. If not installed, skip with a warning.

zizmor .github/

Checks for:

Unpinned actions (must use full SHA, not tags)
Secrets used outside env: blocks
Injection risks from untrusted inputs (template injection)
Overly permissive permissions

Capture findings. Update queue phase.

Phase 4: Grade + Report

Spawn the security-reviewer agent (see agents/security-reviewer.md) with the combined output from AgentShield and zizmor.

The agent:

Applies CLAUDE.md security rules to evaluate the findings
Calculates an A-F grade per _shared/report-format.md
Generates a prioritized report (CRITICAL first)
Suggests fixes for HIGH and CRITICAL findings
For every Critical / High finding, runs variant analysis per _shared/variant-analysis.md. The same misconfiguration likely exists in sibling workflow files, sibling Claude config blocks, or other repos.

Output a HANDOFF block per _shared/report-format.md for pipeline chaining.

Update queue: status: done, write findings_count and final grade.

Adjacent scans

Code-side security (insecure defaults, fail-open patterns, security-regression in a diff) lives in scanning-quality's modular scans:

scanning-quality/scans/insecure-defaults.md: code-side fail-open defaults.
scanning-quality/scans/differential.md: security regressions introduced by the current diff.

This skill stays focused on config security (Claude config + GitHub Actions). The split keeps the surface predictable: scanning-security = "is the harness safe?", scanning-quality/scans/ = "is the code safe?".

Commit cadence

This skill is read-only: scan + grade + report, no fixes. Cadence rules apply to handing the report off:

Save the report before acting. Commit the report file in its own commit (docs(reports): scanning-security YYYY-MM-DD: grade <A-F>). The grade in the message makes the trend visible without opening the file.
Don't fix in-skill. Security findings need careful per-finding triage; they're not safe to batch-fix mechanically. Open per-finding fixes as separate commits driven by the appropriate skill (or hand-edit when the fix is a one-liner like a workflow SHA bump).
One report per scan run. Re-running produces a new report; commit each so the security trend line is auditable.

related-skills.json

même dépôt

trimming-bundle.md

from "SocketDev/socket-lib"

For repos that ship a built bundle, finds unused code paths in dist/ and iteratively stubs them via the bundler's stub plugin. Each candidate stub goes through stub → rebuild → test loop; only paths that pass the loop are kept. Today the only supported bundler is rolldown (createLibStubPlugin); the skill shape generalizes to other bundlers if the fleet adopts them. Use after a bundler migration, before publishing a new version, or whenever bundle size grows unexpectedly.

2026-05-290

auditing-gha-settings.md

from "SocketDev/socket-lib"

Audits a repo's GitHub Actions permissions + allowlist against the fleet baseline. Reports drift only. Fixes are manual in Settings → Actions because flipping these silently is unsafe. Use when a CI failure looks like "action X is not allowed to be used", when onboarding a new fleet repo, or as a periodic fleet-wide health check.

2026-05-280

cleaning-redundant-ci.md

from "SocketDev/socket-lib"

Sweeps a fleet repo (or every fleet repo) for redundant CI surface. Three classes: orphan workflow YAML files (lint.yml / check.yml / type.yml / test.yml that the unified ci.yml replaced), GitHub-Dependabot auto-fix PRs that the fleet handles via /updating-security, and stale workflow run history in the Actions sidebar. Deletes the YAML files, disables Dependabot automated-security-fixes via gh api, and reports anything that needs a manual UI toggle. Once-and-never-again sweep meant to leave a repo clean.

2026-05-280

reviewing-code.md

from "SocketDev/socket-lib"

Reviews the current branch against a base ref using multiple AI backends. Routes discovery, discovery-secondary, remediation, and verify passes through the available agents (codex, claude, opencode, kimi, …), gracefully skipping any backend that isn't installed. Writes a markdown findings report under docs/. Use when preparing or updating a PR, before merging a feature branch, or when wanting an independent second opinion from a different agent.

2026-05-280

running-test262.md

from "SocketDev/socket-lib"

Run the test262 conformance suite against fleet parsers / runtimes (ultrathink acorn variants, socket-btm temporal-infra, future ports) using each repo's canonical runner. Never write homebrew test262 runners. Every parser/runtime in the fleet ships a runner under `test/scripts/test262-*.mts` and an unsupported-features config. Use this skill when asked to run spec tests, check conformance, debug a failing test262 case, or compare a parser against a reference implementation.

2026-05-280

scanning-quality.md

from "SocketDev/socket-lib"

Scans the codebase for bugs, logic errors, cache races, workflow problems, insecure defaults, security regressions in the diff, and variant analysis on prior findings. Spawns specialized Task agents per scan type, deduplicates findings, and produces an A-F prioritized report. Use when preparing a release, investigating quality issues, running pre-merge checks, or whenever a recent diff touches security-sensitive code.

2026-05-280

package.json

"author": "SocketDev"

"repository": "SocketDev/socket-lib"

Ouvrir le dépôt GitHub Voir les dépôts du créateur

$ install --global

$ download --local

Exécuter dans Manus

name	scanning-security
description	Runs a multi-tool security scan: AgentShield for Claude config, zizmor for GitHub Actions, and optionally Socket CLI for dependency scanning. Produces an A-F graded security report. Use after modifying `.claude/` config, hooks, agents, or GitHub Actions workflows, and before releases.

scanning-security

Multi-tool security scanning pipeline for the repository.

When to Use

After modifying .claude/ config, settings, hooks, or agent definitions
After modifying GitHub Actions workflows
Before releases (called as a gate by the release pipeline)
Periodic security hygiene checks

Prerequisites

See _shared/security-tools.md for tool detection and installation.

Process

Phase 1: Environment Check

Follow _shared/env-check.md. Initialize a queue run entry for scanning-security.

Phase 2: AgentShield Scan

Scan Claude Code configuration for security issues:

pnpm exec agentshield scan

Checks .claude/ for:

Hardcoded secrets in CLAUDE.md and settings
Overly permissive tool allow lists (e.g. Bash(*))
Prompt injection patterns in agent definitions
Command injection risks in hooks
Risky MCP server configurations

Capture the grade and findings count.

Update queue: current_phase: agentshield → completed_phases: [env-check, agentshield]

Phase 3: Zizmor Scan

Scan GitHub Actions workflows for security issues.

See _shared/security-tools.md for zizmor detection. If not installed, skip with a warning.

zizmor .github/

Checks for:

Unpinned actions (must use full SHA, not tags)
Secrets used outside env: blocks
Injection risks from untrusted inputs (template injection)
Overly permissive permissions

Capture findings. Update queue phase.

Phase 4: Grade + Report

Spawn the security-reviewer agent (see agents/security-reviewer.md) with the combined output from AgentShield and zizmor.

The agent:

Applies CLAUDE.md security rules to evaluate the findings
Calculates an A-F grade per _shared/report-format.md
Generates a prioritized report (CRITICAL first)
Suggests fixes for HIGH and CRITICAL findings
For every Critical / High finding, runs variant analysis per _shared/variant-analysis.md. The same misconfiguration likely exists in sibling workflow files, sibling Claude config blocks, or other repos.

Output a HANDOFF block per _shared/report-format.md for pipeline chaining.

Update queue: status: done, write findings_count and final grade.

Adjacent scans

Code-side security (insecure defaults, fail-open patterns, security-regression in a diff) lives in scanning-quality's modular scans:

scanning-quality/scans/insecure-defaults.md: code-side fail-open defaults.
scanning-quality/scans/differential.md: security regressions introduced by the current diff.

Commit cadence

This skill is read-only: scan + grade + report, no fixes. Cadence rules apply to handing the report off:

Save the report before acting. Commit the report file in its own commit (docs(reports): scanning-security YYYY-MM-DD: grade <A-F>). The grade in the message makes the trend visible without opening the file.
Don't fix in-skill. Security findings need careful per-finding triage; they're not safe to batch-fix mechanically. Open per-finding fixes as separate commits driven by the appropriate skill (or hand-edit when the fix is a one-liner like a workflow SHA bump).
One report per scan run. Re-running produces a new report; commit each so the security trend line is auditable.

scanning-security

scanning-security

When to Use

Prerequisites

Process

Phase 1: Environment Check

Phase 2: AgentShield Scan

Phase 3: Zizmor Scan

Phase 4: Grade + Report

Adjacent scans

Commit cadence

Plus depuis ce dépôt

Plus depuis ce dépôt

scanning-security

When to Use

Prerequisites

Process

Phase 1: Environment Check

Phase 2: AgentShield Scan

Phase 3: Zizmor Scan

Phase 4: Grade + Report

Adjacent scans

Commit cadence