Manusで任意のスキルを実行
ワンクリックで
ワンクリックで
ワンクリックでManusで任意のスキルを実行
始める$pwd:
$ git log --oneline --stat
stars:773
forks:74
updated:2026年5月1日 23:23
SKILL.md
readonly
$ install --global
$ download --local
$ useful --forSOC
Run a comprehensive language-agnostic repository health audit, scored 0-100. Detects language, runs native tooling, never assumes JS/Python.
Agent-to-Agent (A2A) protocol gateway reference. JSON-RPC 2.0 peer-to-peer agent communication. (/a2a-gateway, a2a, agent protocol)
Native CDP browser automation reference. Headless/headed Chrome control, screenshots, JS evaluation. (/browser-cdp, browser automation, cdp, scraping)
Runtime tool management with tool_manage and tools.toml format. Create, enable, disable, reload tools without restart. (/dynamic-tools, tool_manage, runtime tools)
Reference for all 25+ opencli-rs dynamic tools (news, social, search, web). Use when user asks about trending topics, news, social media, jobs, or web search. (/opencli, opencli tools, news, trending)
Estimate codebase cost-to-build, AI-assisted ROI, and fair-market valuation
| name | security-audit |
| description | Run a comprehensive language-agnostic security & CVE audit, scored 0-100 |
You are a senior security engineer performing a comprehensive security audit of the codebase in the current working directory. The audit must be language-agnostic — detect the project type and dispatch to the appropriate tooling.
Be honest about what you cannot examine. Better to miss theoretical issues than to flood the report with false positives. Each finding must be something a security engineer would confidently raise in a PR review.
Inspect the working directory for manifest files. Multiple manifests = monorepo / polyglot — audit each language stack.
| Manifest detected | Language | Audit dispatch |
|---|---|---|
Cargo.toml | Rust | cargo audit |
package.json + package-lock.json | Node (npm) | npm audit --json |
package.json + pnpm-lock.yaml | Node (pnpm) | pnpm audit --json |
package.json + yarn.lock | Node (yarn) | yarn npm audit --json (yarn 2+) or yarn audit --json (yarn classic) |
pyproject.toml / poetry.lock / requirements*.txt / Pipfile.lock | Python | pip-audit (preferred) or safety check --json |
go.mod | Go | govulncheck ./... |
Gemfile.lock | Ruby | bundle audit check --update |
composer.json / composer.lock | PHP | composer audit --format=json |
pom.xml / build.gradle / build.gradle.kts | Java/JVM | osv-scanner -r . (preferred — dependency-check-maven is heavyweight and slow) |
pubspec.yaml / pubspec.lock | Dart/Flutter | osv-scanner -r . |
*.csproj / packages.lock.json | .NET | dotnet list package --vulnerable --include-transitive |
Package.swift / Podfile.lock | Swift / iOS | osv-scanner -r . |
mix.exs | Elixir | mix deps.audit (if installed) or osv-scanner -r . |
.terraform.lock.hcl / *.tf | Terraform | tfsec . and/or checkov -d . |
Dockerfile | OCI image | trivy fs . or grype dir:. |
Universal fallback when no native scanner is available, or to cross-check: osv-scanner -r . (covers most ecosystems via SBOM-style detection).
If the relevant scanner is not installed, report which scanner would run and continue with the static-analysis stages. Do not fail the whole audit.
Run the dispatched scanner from Stage 1. Capture:
For each advisory record: ID, package, current version, fixed version, transitive path (if any), severity, brief description.
If a vulnerability is DOS-class only (uncontrolled recursion, memory exhaustion, ReDoS) note it but do not count it against the security score — DOS is a separate concern from RCE / data breach / auth bypass.
Run git diff main...HEAD (or, if main doesn't exist, the last 20 commits). If neither is available, skip this stage and note the limitation in the report.
Examine the diff for the following pattern catalogs. The patterns differ by language but the categories are universal.
SQL injection — string interpolation into raw SQL. Look for:
format!("SELECT ... {}", x) followed by query()/query_as()/execute() with the formatted string. Skip if the value goes through ?/$1 placeholders.% formatting into cursor.execute(), db.engine.execute(), ORM raw queries.db.query(), db.exec(), raw Sequelize query, Knex raw().fmt.Sprintf into db.Query/db.Exec (skip ?/$1 parameterized).mysqli_query, PDO::query (without prepared statements).Model.where(...), raw connection.execute.Statement.execute, JPQL/HQL with + instead of setParameter.Command injection — shell-out with user-controlled string:
subprocess.run(..., shell=True) (Python), subprocess.call(..., shell=True)child_process.exec(...) with template literals (Node) — exec() always uses a shellRuntime.getRuntime().exec(String) (Java) — single-string form invokes shellCommand::new("sh").arg("-c").arg(format!(...)) or bash -c {format!()} (Rust)os.system(...) / os.popen(...) (Python)eval, system, backticks (Ruby/Perl/PHP)shell_exec, passthru, backticks (PHP)Path traversal — file ops with user-controlled path, no normalization:
.. rejectionrealpath checkos.path.join / Path::join without subsequent containment checkTemplate / SSTI injection — user input rendered as template syntax:
Jinja2.Template(user_input), eval in template enginesrender inline: with user contentXXE / XML injection — XML parser with external entities enabled:
DocumentBuilderFactory without setFeature("...disallow-doctype-decl", true)lxml.etree.parse without resolve_entities=FalseXmlReader / XmlDocument with DtdProcessing.ParseLDAP / NoSQL injection — string interpolation into LDAP/Mongo filters.
requireAuth / @login_required / equivalent)algorithms=["none"] accepted, hardcoded secrets, no exp check, no signature verificationWeak crypto:
Cipher.getInstance("AES/ECB/..."), aes_ecb, BlockCipher::ECB)Math.random(), rand() without seed entropy, time(NULL) seeding, Python random (vs secrets), Rust rand::thread_rng / rand::random for keys (vs rand::rngs::OsRng)Hardcoded secrets — regex sweep over the diff:
AKIA[0-9A-Z]{16}, aws_secret_access_keygh[pousr]_[A-Za-z0-9]{36,}, github_pat_[A-Za-z0-9_]{82}AIza[0-9A-Za-z\-_]{35}sk_live_[0-9a-zA-Z]{24,}xox[baprs]-[0-9A-Za-z-]{10,}https://hooks.slack.com/services/..., https://discord.com/api/webhooks/...eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+-----BEGIN (RSA |EC |OPENSSH |DSA )?PRIVATE KEY-----*key*, *token*, *secret*, *password*, *credential*A literal in test fixtures or a *.example file is fine. A literal in production code paths is not.
pickle.loads, pickle.load, cPickle.loads, yaml.load (vs yaml.safe_load), marshal.loads, dill.loadsObjectInputStream.readObject() on untrusted streams, XMLDecoder.readObject()Marshal.load on untrusted input, YAML.load (vs YAML.safe_load)BinaryFormatter.Deserialize, LosFormatter, NetDataContractSerializernode-serialize, serialize-to-js, funcsterbincode::deserialize on attacker-controlled bytes without a signed envelopeunserialize($_GET[...]), unserialize($_POST[...])dangerouslySetInnerHTML, untrusted URL in href/src/action attributesv-htmlbypassSecurityTrust*|safe, mark_safe(user_input), {% autoescape off %}raw(...), html_safe on user inputAccess-Control-Allow-Origin: * together with Access-Control-Allow-Credentials: true (the credentials header is ignored when origin is *, but the intent of the combo is usually broken)SameSite=None cookies without a tokenSecure, HttpOnly, SameSite missing on session/auth cookiesX-Frame-Options / frame-ancestors CSPrequests.get(url, verify=False), ssl._create_unverified_context(), ctx.verify_mode = ssl.CERT_NONErejectUnauthorized: false, NODE_TLS_REJECT_UNAUTHORIZED=0tls.Config{InsecureSkipVerify: true}TrustManager that trusts everything (empty checkServerTrusted), HostnameVerifier returning truedanger_accept_invalid_certs(true), danger_accept_invalid_hostnames(true)-k / --insecure in scriptsUser input that flows directly into HTTP request hostname or protocol scheme. Skip if only the URL path is user-controllable. Watch for:
requests.get(user_url) / fetch(user_url) / http.get(user_url)169.254.169.254, 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)strcpy, strcat, gets, sprintf, memcpy with computed lengthunsafe.Pointer casts, racy map access without syncunsafe blocks introduced or expanded — note the soundness obligation; mem::transmute between ABI-incompatible typesos.path.exists followed by open)O_EXCL for security-critical files (lock files, secret files)For every shell-out site introduced or modified in the diff:
argv form (no shell), or does it go through sh -c / bash -c? Shell form requires escape proof for every interpolated value.PATH set to known-good, no LD_PRELOAD carry-over, no IFS smuggling)?setsid / Setpgid) so signals/TTY don't bleed?For every File::create / open(..., 'w') / tempfile::* / write to a config or credential location:
0600 (owner-only).0700.umask set before write where the default could leak (especially in setuid contexts, daemons, init scripts).mkstemp / tempfile::NamedTempFile (atomic + 0600), not tempnam / mktemp (race + permissive perms).0.0.0.0 exposes to LAN; 127.0.0.1 is local-only. New listeners should default to local-only unless intentional.Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options: nosniff, Referrer-Policy.For each Dockerfile / docker-compose.yml / *.k8s.yaml / *.tf:
USER directive set (not running as root)? Base image age (warn if > 1 year)? Secrets via ENV (anti-pattern — use buildkit secrets or runtime mounts)?privileged: true? cap_add: [SYS_ADMIN, ...]? hostNetwork: true? hostPath mounts? Liveness/readiness probes that expose internal ports?0.0.0.0/0 ingress on non-public ports? S3 buckets without BlockPublicAcls? IAM policies with "Action": "*", "Resource": "*"?Produce a markdown report with:
Per-dimension breakdown (each scored 0-N, weights sum to 100):
| Dimension | Weight | Score | Notes |
|---|---|---|---|
| Input validation (injection sinks) | 20 | ||
| Authentication & authorization | 15 | ||
| Cryptography & secrets handling | 15 | ||
| Subprocess & file-perm hygiene | 10 | ||
| Network surface | 10 | ||
| Web/framework hardening (if applicable) | 10 | ||
| Dependency posture (CVE scan) | 15 | ||
| Container / infra hardening (if applicable) | 5 |
Adjust weights when a dimension doesn't apply (no web app, no containers) and re-normalize so the total is still over 100.
For each finding (only confidence ≥ 0.8):
sql_injection, command_injection, weak_crypto, hardcoded_secret)Skip LOW unless they cluster into a pattern. Do not include:
Quick table: file paths or subsystems looked at, with one-line "no concrete issue found because X" notes. Shows the bounds of the audit — what was covered and what wasn't.
Defense-in-depth opportunities. Numbered, with file:line where applicable.
Be explicit: "Did not run live fuzzing, did not review historical commits before main-divergence, did not audit dependency source code, did not perform manual exploitation."
main branch, etc.), say so — don't silently omit.