ワンクリックでManusで任意のスキルを実行

$pwd:

sast-injection-testing

Name: Sast Injection Testing
Author: anshumanbh

// Investigate injection vulnerabilities in source code including SQL injection, XSS, and command injection. Use when threat model identifies CWE-89 (SQL Injection), CWE-79 (XSS), CWE-78 (OS Command Injection), or injection concerns.

Manusで実行

$ git log --oneline --stat

stars:17

forks:6

updated:2025年12月18日 18:46

SKILL.md

readonly

name	sast-injection-testing
description	Investigate injection vulnerabilities in source code including SQL injection, XSS, and command injection. Use when threat model identifies CWE-89 (SQL Injection), CWE-79 (XSS), CWE-78 (OS Command Injection), or injection concerns.
allowed-tools	Read, Grep, Glob

SAST Injection Testing Skill

Purpose

Investigate injection vulnerabilities by tracing:

User input sources (requests, forms, files)
Data flow from input to dangerous sinks
Sanitization/validation along the path
Dangerous function calls with user data

Vulnerability Types Covered

1. SQL Injection (CWE-89)

User input directly inserted into SQL queries.

Dangerous Patterns:

# String formatting in queries
query = f"SELECT * FROM users WHERE id = {user_id}"
cursor.execute("SELECT * FROM users WHERE name = '%s'" % name)

# String concatenation
sql = "SELECT * FROM users WHERE id = " + request.args.get('id')

Safe Patterns:

# Parameterized queries
cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))
User.query.filter_by(id=user_id).first()

2. Cross-Site Scripting - XSS (CWE-79)

User input rendered in HTML without escaping.

Dangerous Patterns:

# Direct rendering without escaping
return f"<div>{user_input}</div>"
render_template_string(f"Hello {name}")

# Using |safe filter incorrectly
{{ user_input|safe }}

Safe Patterns:

# Template auto-escaping
render_template('page.html', name=name)
{{ user_input }}  # Auto-escaped by default
escape(user_input)

3. Command Injection (CWE-78)

User input passed to shell commands.

Dangerous Patterns:

# Direct shell execution
os.system(f"ping {host}")
subprocess.call(f"convert {filename}", shell=True)
os.popen(f"cat {file}")

Safe Patterns:

# Using arrays (no shell)
subprocess.run(["ping", host], shell=False)
# Input validation
if not re.match(r'^[\w.-]+$', host):
    raise ValueError("Invalid host")

4. Path Traversal (CWE-22)

User input used to construct file paths.

Dangerous Patterns:

open(f"/uploads/{filename}")
os.path.join(base_dir, user_path)  # Without validation

Investigation Methodology

Step 1: Find Input Sources

Search for user input entry points:

Patterns: request.args, request.form, request.json
          request.get, request.data, request.files
          @app.route, def handle_

Step 2: Trace to Dangerous Sinks

Find dangerous functions receiving input:

SQL: execute(, raw(, cursor., .query(
XSS: render_template_string, Markup(, |safe
CMD: os.system, subprocess., os.popen, eval(
Path: open(, os.path.join, read_file

Step 3: Check Sanitization

Look for validation/sanitization:

Patterns: escape(, sanitize(, validate(
          bleach., html.escape, quote(
          parameterized, prepared

Step 4: Verify Data Flow

Trace the complete path:

Where does user input enter?
Is it validated/sanitized?
Does it reach a dangerous sink?

Step 5: Cross-Reference with Org

Use github_org_code_search to find:

Similar patterns in other services
Shared validation libraries
Common injection points

Classification Criteria

TRUE_POSITIVE:

User input reaches dangerous sink without sanitization
Parameterization is not used for SQL
Command constructed with user input

FALSE_POSITIVE:

Proper parameterization/escaping exists
Input is validated before use
Dangerous function not reachable with user data

UNVALIDATED:

Sanitization happens in external library
Complex data flow spanning multiple files

Output Format

### Verdict
- **verdict**: TRUE_POSITIVE or FALSE_POSITIVE
- **confidence_score**: 1-10
- **risk_level**: LOW, MEDIUM, HIGH, or CRITICAL

### Evidence
- **Location**: file:line
- **Injection Type**: SQL/XSS/Command/Path
- **Data Flow**: source → sink
- **Code**: Relevant code snippet

### Proof of Concept
Example malicious input that would exploit this:

[Payload example]


### Recommendations
- [Specific fix with code example]

CWE Mapping

CWE-89: SQL Injection
CWE-79: Cross-site Scripting (XSS)
CWE-78: OS Command Injection
CWE-22: Path Traversal
CWE-94: Code Injection

Safety Rules

Only analyze code in the repository provided
Do not attempt to exploit or test against live systems
Redact any sensitive data from evidence

related-skills.json

同じリポジトリ

sast-authentication-testing.md

from "anshumanbh/vulnvibes"

Investigate authentication vulnerabilities in source code including missing authentication, weak authentication, and session management issues. Use when threat model identifies CWE-287 (Improper Authentication), CWE-384 (Session Fixation), CWE-306 (Missing Authentication), or authentication concerns.

2025-12-1817

sast-authorization-testing.md

from "anshumanbh/vulnvibes"

Investigate authorization vulnerabilities in source code including IDOR, privilege escalation, and missing access controls. Use when threat model identifies CWE-639 (IDOR), CWE-862 (Missing Authorization), CWE-863 (Incorrect Authorization), CWE-269 (Privilege Escalation), or access control concerns.

2025-12-1817

sast-browser-security-testing.md

from "anshumanbh/vulnvibes"

Investigate browser security vulnerabilities including CORS misconfiguration, CSRF, clickjacking, and cookie security. Use when threat model identifies CWE-346 (Origin Validation), CWE-942 (Permissive CORS), CWE-352 (CSRF), CWE-1021 (Clickjacking), or browser security concerns.

2025-12-1817

sast-cryptography-testing.md

from "anshumanbh/vulnvibes"

Investigate cryptographic vulnerabilities in source code including weak algorithms, hardcoded secrets, and improper key management. Use when threat model identifies CWE-327 (Use of Broken Crypto), CWE-798 (Hardcoded Credentials), CWE-326 (Inadequate Encryption), or cryptography concerns.

2025-12-1817

sast-data-exposure-testing.md

from "anshumanbh/vulnvibes"

Investigate data exposure vulnerabilities in source code including PII leakage, sensitive data logging, and information disclosure. Use when threat model identifies CWE-200 (Information Exposure), CWE-532 (Sensitive Data in Logs), CWE-359 (Privacy Violation), or data exposure concerns.

2025-12-1817

sast-deserialization-testing.md

from "anshumanbh/vulnvibes"

Investigate insecure deserialization vulnerabilities that can lead to RCE or data manipulation. Use when threat model identifies CWE-502 (Deserialization of Untrusted Data), CWE-915 (Mass Assignment), or object deserialization concerns.

2025-12-1817

package.json

"author": "anshumanbh"

"repository": "anshumanbh/vulnvibes"

GitHub リポジトリを開く Creator のリポジトリを見る

$ install --global

$ download --local

Manusで実行

$ useful --forSOC

情報セキュリティアナリストコンピュータ・数学職15-1212L4

name	sast-injection-testing
description	Investigate injection vulnerabilities in source code including SQL injection, XSS, and command injection. Use when threat model identifies CWE-89 (SQL Injection), CWE-79 (XSS), CWE-78 (OS Command Injection), or injection concerns.
allowed-tools	Read, Grep, Glob

SAST Injection Testing Skill

Purpose

Investigate injection vulnerabilities by tracing:

User input sources (requests, forms, files)
Data flow from input to dangerous sinks
Sanitization/validation along the path
Dangerous function calls with user data

Vulnerability Types Covered

1. SQL Injection (CWE-89)

User input directly inserted into SQL queries.

Dangerous Patterns:

# String formatting in queries
query = f"SELECT * FROM users WHERE id = {user_id}"
cursor.execute("SELECT * FROM users WHERE name = '%s'" % name)

# String concatenation
sql = "SELECT * FROM users WHERE id = " + request.args.get('id')

Safe Patterns:

# Parameterized queries
cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))
User.query.filter_by(id=user_id).first()

2. Cross-Site Scripting - XSS (CWE-79)

User input rendered in HTML without escaping.

Dangerous Patterns:

# Direct rendering without escaping
return f"<div>{user_input}</div>"
render_template_string(f"Hello {name}")

# Using |safe filter incorrectly
{{ user_input|safe }}

Safe Patterns:

# Template auto-escaping
render_template('page.html', name=name)
{{ user_input }}  # Auto-escaped by default
escape(user_input)

3. Command Injection (CWE-78)

User input passed to shell commands.

Dangerous Patterns:

# Direct shell execution
os.system(f"ping {host}")
subprocess.call(f"convert {filename}", shell=True)
os.popen(f"cat {file}")

Safe Patterns:

# Using arrays (no shell)
subprocess.run(["ping", host], shell=False)
# Input validation
if not re.match(r'^[\w.-]+$', host):
    raise ValueError("Invalid host")

4. Path Traversal (CWE-22)

User input used to construct file paths.

Dangerous Patterns:

open(f"/uploads/{filename}")
os.path.join(base_dir, user_path)  # Without validation

Investigation Methodology

Step 1: Find Input Sources

Search for user input entry points:

Patterns: request.args, request.form, request.json
          request.get, request.data, request.files
          @app.route, def handle_

Step 2: Trace to Dangerous Sinks

Find dangerous functions receiving input:

SQL: execute(, raw(, cursor., .query(
XSS: render_template_string, Markup(, |safe
CMD: os.system, subprocess., os.popen, eval(
Path: open(, os.path.join, read_file

Step 3: Check Sanitization

Look for validation/sanitization:

Patterns: escape(, sanitize(, validate(
          bleach., html.escape, quote(
          parameterized, prepared

Step 4: Verify Data Flow

Trace the complete path:

Where does user input enter?
Is it validated/sanitized?
Does it reach a dangerous sink?

Step 5: Cross-Reference with Org

Use github_org_code_search to find:

Similar patterns in other services
Shared validation libraries
Common injection points

Classification Criteria

TRUE_POSITIVE:

User input reaches dangerous sink without sanitization
Parameterization is not used for SQL
Command constructed with user input

FALSE_POSITIVE:

Proper parameterization/escaping exists
Input is validated before use
Dangerous function not reachable with user data

UNVALIDATED:

Sanitization happens in external library
Complex data flow spanning multiple files

Output Format

### Verdict
- **verdict**: TRUE_POSITIVE or FALSE_POSITIVE
- **confidence_score**: 1-10
- **risk_level**: LOW, MEDIUM, HIGH, or CRITICAL

### Evidence
- **Location**: file:line
- **Injection Type**: SQL/XSS/Command/Path
- **Data Flow**: source → sink
- **Code**: Relevant code snippet

### Proof of Concept
Example malicious input that would exploit this:

[Payload example]


### Recommendations
- [Specific fix with code example]

CWE Mapping

CWE-89: SQL Injection
CWE-79: Cross-site Scripting (XSS)
CWE-78: OS Command Injection
CWE-22: Path Traversal
CWE-94: Code Injection

Safety Rules

Only analyze code in the repository provided
Do not attempt to exploit or test against live systems
Redact any sensitive data from evidence

sast-injection-testing

SAST Injection Testing Skill

Purpose

Vulnerability Types Covered

1. SQL Injection (CWE-89)

2. Cross-Site Scripting - XSS (CWE-79)

3. Command Injection (CWE-78)

4. Path Traversal (CWE-22)

Investigation Methodology

Step 1: Find Input Sources

Step 2: Trace to Dangerous Sinks

Step 3: Check Sanitization

Step 4: Verify Data Flow

Step 5: Cross-Reference with Org

Classification Criteria

Output Format

CWE Mapping

Safety Rules

このリポジトリの他の Skills

このリポジトリの他の Skills

SAST Injection Testing Skill

Purpose

Vulnerability Types Covered

1. SQL Injection (CWE-89)

2. Cross-Site Scripting - XSS (CWE-79)

3. Command Injection (CWE-78)

4. Path Traversal (CWE-22)

Investigation Methodology

Step 1: Find Input Sources

Step 2: Trace to Dangerous Sinks

Step 3: Check Sanitization

Step 4: Verify Data Flow

Step 5: Cross-Reference with Org

Classification Criteria

Output Format

CWE Mapping

Safety Rules