ワンクリックでManusで任意のスキルを実行

stacks-security-audit

スター620

フォーク17

更新日2026年3月24日 16:52

Use when performing security analysis on a Stacks application — OWASP Top 10, STRIDE threat modeling, attack surface mapping, dependency audit. Requires concrete exploit scenarios. Invoke with /stacks-security-audit.

インストール

Codex または Claude でインストールこの Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。

Manusで実行

ソース

stacksjs

stacksjs/stacks

GitHub リポジトリを開く Creator のリポジトリを見る

ダウンロード

Manusで実行

/stacks-security-audit — Security Analysis

You are performing a security analysis for a Stacks application. Be concrete — every finding must include a realistic exploit scenario. Vague warnings are worthless.

Determine Scope

If the user specifies files or a feature, analyze that scope
Otherwise, analyze: API routes (routes/), auth flows (@stacksjs/auth), middleware, data handling, config/services.ts

Step 1: Attack Surface Map

## Attack Surface

| Entry Point | Type | Auth Required? | Input Validation |
|-------------|------|----------------|------------------|
| [route/handler] | [HTTP/CLI/WebSocket] | [yes/no] | [description] |

For Stacks specifically, check:

API routes in routes/api.ts (136+ routes auto-generated)
CLI command handlers via buddy (command injection via user args)
WebSocket endpoints (@stacksjs/realtime)
Config file parsing
Dev server endpoints (rpx, localtunnels exposure)
Dashboard routes (auth middleware applied?)
File upload handling via EnhancedRequest.file()

Step 2: OWASP Top 10

Evaluate each applicable category. Only report findings with confidence ≥ 8/10.

For each finding:

The vulnerability — file:line reference
Exploit scenario — step-by-step
Impact — what attacker gains
Confidence — 1-10
Fix — concrete code change

### [OWASP Category]

🔴 **[Finding]** (Confidence: [N]/10)

**Location**: [file:line]
**Vulnerability**: [what's wrong]

**Exploit scenario**:
1. Attacker does [X]
2. System responds with [Y]
3. Attacker gains [Z]

**Impact**: [specific impact]
**Fix**: [concrete change]

Stacks-Specific Security Checks

Auth token handling: Check @stacksjs/auth for token validation, rotation (30d expiry, 7d rotation)
Webhook URLs in config/services.ts: Discord, Slack, Stripe keys — are they properly secured?
ORM injection: Check if user input flows unsanitized into query builder .where() calls
Middleware gaps: Are admin routes protected by auth middleware? Check routes/api.ts group middleware
Rate limiting: Is throttle middleware applied to auth endpoints?
Passkey handling: Check @stacksjs/auth passkey credential storage
File uploads: Check EnhancedRequest.file() for path traversal, size limits
Maintenance mode bypass: Check secret URL mechanism in Maintenance middleware

Step 3: STRIDE Threat Model

Threat	Question	Finding
Spoofing	Can someone impersonate a user/service?
Tampering	Can data be modified in transit/rest?
Repudiation	Can actions happen without traces?
Information Disclosure	Can unauthorized data be accessed?
Denial of Service	Can the system be made unavailable?
Elevation of Privilege	Can higher privileges be gained?

Step 4: Dependency Audit

Read package.json for direct dependencies
Check for known vulnerabilities
Flag overly permissive version ranges
Check dependencies with filesystem/network/child_process access

Output Format

# Security Analysis: [scope]

## Attack Surface
[table]

## Critical Findings (Confidence ≥ 8/10)
[findings sorted by severity]

## STRIDE Assessment
[table]

## Dependency Audit
[findings]

## Lower Confidence Observations
[< 8/10 findings]

## Summary
- Critical findings: [count]
- Risk: [LOW / MEDIUM / HIGH / CRITICAL]

Rules

Concrete exploits only. "Doesn't validate input" is not a finding. Show the exact exploit.
8/10 confidence threshold. False positives erode trust.
No theoretical threats. If the code doesn't handle XML, skip XXE.
Never suggest security-through-obscurity.

Downstream

Security analysis complete. Run /stacks-review to verify fixes against these findings.

このリポジトリの他の Skills

同じリポジトリ

stacks-browse

stacksjs/stacks

Use for headless browser QA on Stacks applications — navigation, screenshots, responsive testing, console/network monitoring, and accessibility snapshots. Dependency-free: drives a system browser over the Chrome DevTools Protocol using only Bun (no Playwright/Puppeteer). Invoke with /stacks-browse.

2026-06-16620

stacks-crosswind

stacksjs/stacks

Use when styling components in a Stacks application — utility-first CSS classes, theming, responsive design, variants, custom rules, or CSS generation. Crosswind is the CSS utility engine powering Stacks' Crosswind config.

2026-05-23620

stacks-ui

stacksjs/stacks

Use when working with UI in a Stacks application — components, composables, reactivity (refs/watch/computed), Craft native components, Crosswind CSS, Crosswind utility framework, accessibility, or the STX templating engine. Covers @stacksjs/ui, @stacksjs/stx, and related UI tooling.

2026-05-23620

stacks-api

stacksjs/stacks

Use when building, modifying, or debugging API endpoints in a Stacks application — defining routes, handling requests, API middleware, working with the API server, HTTP client (fetcher), API resources, or OpenAPI generation. Covers both @stacksjs/api utilities and the stacks-api server implementation.

2026-05-20620

stacks-router

stacksjs/stacks

Use when working with routing in a Stacks application — defining routes, HTTP methods, route groups, middleware, named routes, URL generation, request enhancement (Laravel-style input/query/file helpers), response helpers, error responses, route model binding, or rate limiting. Covers @stacksjs/router, routes/, and app/Routes.ts.

2026-05-20620

stacks-routes

stacksjs/stacks

Use when defining or organizing route files in a Stacks application — creating route files in routes/, registering them in app/Routes.ts, using route prefixes and middleware groups, or the default API routes structure. For the router API itself (request helpers, response helpers, middleware classes), see stacks-router.

2026-05-20620

name	stacks-security-audit
description	Use when performing security analysis on a Stacks application — OWASP Top 10, STRIDE threat modeling, attack surface mapping, dependency audit. Requires concrete exploit scenarios. Invoke with /stacks-security-audit.
license	MIT
compatibility	Bun >= 1.3.0, TypeScript
allowed-tools	Read Edit Write Bash Grep Glob

/stacks-security-audit — Security Analysis

You are performing a security analysis for a Stacks application. Be concrete — every finding must include a realistic exploit scenario. Vague warnings are worthless.

Determine Scope

If the user specifies files or a feature, analyze that scope
Otherwise, analyze: API routes (routes/), auth flows (@stacksjs/auth), middleware, data handling, config/services.ts

Step 1: Attack Surface Map

## Attack Surface

| Entry Point | Type | Auth Required? | Input Validation |
|-------------|------|----------------|------------------|
| [route/handler] | [HTTP/CLI/WebSocket] | [yes/no] | [description] |

For Stacks specifically, check:

API routes in routes/api.ts (136+ routes auto-generated)
CLI command handlers via buddy (command injection via user args)
WebSocket endpoints (@stacksjs/realtime)
Config file parsing
Dev server endpoints (rpx, localtunnels exposure)
Dashboard routes (auth middleware applied?)
File upload handling via EnhancedRequest.file()

Step 2: OWASP Top 10

Evaluate each applicable category. Only report findings with confidence ≥ 8/10.

For each finding:

The vulnerability — file:line reference
Exploit scenario — step-by-step
Impact — what attacker gains
Confidence — 1-10
Fix — concrete code change

### [OWASP Category]

🔴 **[Finding]** (Confidence: [N]/10)

**Location**: [file:line]
**Vulnerability**: [what's wrong]

**Exploit scenario**:
1. Attacker does [X]
2. System responds with [Y]
3. Attacker gains [Z]

**Impact**: [specific impact]
**Fix**: [concrete change]

Stacks-Specific Security Checks

Auth token handling: Check @stacksjs/auth for token validation, rotation (30d expiry, 7d rotation)
Webhook URLs in config/services.ts: Discord, Slack, Stripe keys — are they properly secured?
ORM injection: Check if user input flows unsanitized into query builder .where() calls
Middleware gaps: Are admin routes protected by auth middleware? Check routes/api.ts group middleware
Rate limiting: Is throttle middleware applied to auth endpoints?
Passkey handling: Check @stacksjs/auth passkey credential storage
File uploads: Check EnhancedRequest.file() for path traversal, size limits
Maintenance mode bypass: Check secret URL mechanism in Maintenance middleware

Step 3: STRIDE Threat Model

Threat	Question	Finding
Spoofing	Can someone impersonate a user/service?
Tampering	Can data be modified in transit/rest?
Repudiation	Can actions happen without traces?
Information Disclosure	Can unauthorized data be accessed?
Denial of Service	Can the system be made unavailable?
Elevation of Privilege	Can higher privileges be gained?

Step 4: Dependency Audit

Read package.json for direct dependencies
Check for known vulnerabilities
Flag overly permissive version ranges
Check dependencies with filesystem/network/child_process access

Output Format

# Security Analysis: [scope]

## Attack Surface
[table]

## Critical Findings (Confidence ≥ 8/10)
[findings sorted by severity]

## STRIDE Assessment
[table]

## Dependency Audit
[findings]

## Lower Confidence Observations
[< 8/10 findings]

## Summary
- Critical findings: [count]
- Risk: [LOW / MEDIUM / HIGH / CRITICAL]

Rules

Concrete exploits only. "Doesn't validate input" is not a finding. Show the exact exploit.
8/10 confidence threshold. False positives erode trust.
No theoretical threats. If the code doesn't handle XML, skip XXE.
Never suggest security-through-obscurity.

Downstream

Security analysis complete. Run /stacks-review to verify fixes against these findings.