ワンクリックでManusで任意のスキルを実行

$pwd:

security-scanner

Name: Security Scanner
Author: leonvanzyl

// Performs comprehensive OWASP Top 10:2025 security vulnerability analysis on any codebase. Use this skill whenever the user asks to: review code for security, perform a security audit, scan for vulnerabilities, find security issues, improve application security, check for OWASP compliance, do a penetration test review, assess security posture, look for security flaws, scan for security risks, harden an application, or check code for exploits. Also trigger when the user mentions OWASP, CVEs, CWEs, security hardening, vulnerability assessment, or asks for a security report — even if they don't explicitly say "security scan." This skill works on any codebase in any language (JavaScript, TypeScript, Python, Java, Go, Ruby, C#, PHP, etc.).

Manusで実行

$ git log --oneline --stat

stars:397

forks:175

updated:2026年4月17日 08:54

ファイルエクスプローラー

12 ファイル

SKILL.md

readonly

related-skills.json

同じリポジトリ

create-spec.md

from "leonvanzyl/agentic-coding-starter-kit"

Create a structured feature specification with self-contained task files organized into parallel execution waves. Use this skill when the user says "create a spec", "plan this feature", "write up an implementation plan", "break this into tasks", or after any planning conversation where the user wants to capture decisions as actionable spec files. Also use when the user says "/create-spec" or wants to decompose a feature into work items that agents can implement independently. This skill produces local spec files under specs/{feature}/ — no GitHub integration.

2026-05-27397

create-agentic-app.md

from "leonvanzyl/agentic-coding-starter-kit"

Scaffold and fully configure a new Agentic Coding Starter Kit project — a Next.js 16 + TypeScript + Better Auth + Drizzle + PostgreSQL + AI SDK boilerplate. Use this skill whenever the user asks to set up, scaffold, create, initialize, or bootstrap an "agentic coding starter kit", "agentic app", "agentic boilerplate", a "Next.js app with auth and db", or mentions `create-agentic-app` / `npx create-agentic-app`. Walks the user through folder strategy, package-manager choice, Postgres setup (Docker / Neon / Vercel / BYO), OpenRouter AI configuration, migrations, a build check, and dev-server verification — ending with a working http://localhost:3000.

2026-05-21397

checkpoint.md

from "leonvanzyl/agentic-coding-starter-kit"

Create a comprehensive checkpoint commit with detailed analysis of all changes. Use this skill when the user says "checkpoint", "commit everything", "save my progress", "create a commit", or wants to stage and commit all current changes with a well-crafted message. Also use when the user says "/checkpoint" or asks to snapshot current work. This skill stages all changes and creates a descriptive commit — it does not push.

2026-04-30397

ship-it.md

from "leonvanzyl/agentic-coding-starter-kit"

Push the current branch to GitHub and create a pull request. Use this skill when the user says "ship it", "ship this", "push to github", "create a pr", "open a pull request", "send for review", "get this reviewed", or wants to push their work and open a PR. Also use when the user says "/ship-it". This skill handles prerequisites, branching, pushing, and PR creation — it does not commit or run quality checks (use checkpoint for that first).

2026-04-30397

implement-feature.md

from "leonvanzyl/agentic-coding-starter-kit"

Orchestrate parallel implementation of a feature specification by dispatching coder agents wave-by-wave with code review gates between waves. Use this skill when the user says "implement this feature", "start implementing", "run the spec", "execute the plan", "continue implementing", or wants to begin coding a previously planned feature from a specs/{feature}/ folder. Also use when the user says "/implement-feature" or drags a spec folder into the conversation and asks to implement it. This skill does NOT write code itself — it orchestrates coder subagents that work in parallel.

2026-04-12397

review-pr.md

from "leonvanzyl/agentic-coding-starter-kit"

Review pull requests with complexity-adaptive depth — spawning deep-dive agents for medium and complex PRs. Use this skill when the user says "review this PR", "review PR #123", "check this pull request", "give me a code review", or wants feedback on a PR before merging. Also use when the user says "/review-pr" or pastes a GitHub PR URL. Requires the GitHub CLI (gh).

2026-04-12397

package.json

"author": "leonvanzyl"

"repository": "leonvanzyl/agentic-coding-starter-kit"

GitHub リポジトリを開く Creator のリポジトリを見る

$ install --global

$ download --local

Manusで実行

$ useful --forSOC

情報セキュリティアナリストコンピュータ・数学職15-1212L4

name

security-scanner

description

Performs comprehensive OWASP Top 10:2025 security vulnerability analysis on any codebase. Use this skill whenever the user asks to: review code for security, perform a security audit, scan for vulnerabilities, find security issues, improve application security, check for OWASP compliance, do a penetration test review, assess security posture, look for security flaws, scan for security risks, harden an application, or check code for exploits. Also trigger when the user mentions OWASP, CVEs, CWEs, security hardening, vulnerability assessment, or asks for a security report — even if they don't explicitly say "security scan." This skill works on any codebase in any language (JavaScript, TypeScript, Python, Java, Go, Ruby, C#, PHP, etc.).

Security Scanner — OWASP Top 10:2025

Performs a systematic security audit of any codebase against all 10 OWASP 2025 categories. Produces a structured markdown report with severity ratings, code locations, and actionable remediation guidance.

Execution Flow

Follow these four steps in order. Do not skip any step.

Step 1: Detect Project Context

Determine whether you are working within an existing project or a blank workspace.

Check for source code by looking for common project indicators:

package.json, requirements.txt, go.mod, pom.xml, Cargo.toml, Gemfile, *.csproj, composer.json
Or any src/, app/, lib/ directory containing code files

If source code is found: Use the current working directory as the analysis target. Proceed to Step 2.

If NO source code is found: Ask the user for a GitHub repository URL. Then clone it:

gh repo clone <url> ./audit-target

Use ./audit-target as the analysis target directory. Proceed to Step 2.

Step 2: Reconnaissance

Before scanning for vulnerabilities, understand what you're analyzing. This context shapes which patterns matter most.

Identify the tech stack — Read the main dependency manifest (package.json, requirements.txt, etc.) to determine language(s), framework(s), and key libraries
Map the project structure — Use Glob to find all source files and understand the directory layout
Locate entry points — Find API routes, controllers, handlers, page components (e.g., **/api/**/*.ts, **/routes/**, **/controllers/**, **/views/**)
Find config files — Glob for **/*.config.*, **/.env*, **/settings.*, **/application.*
Identify auth modules — Search for authentication/authorization logic, session management, middleware
Find database access — Locate ORM models, raw query files, database connection setup

Record your findings — they guide which detection patterns to prioritize in Step 3.

Step 3: Systematic Analysis

For each OWASP category A01 through A10:

Read the reference file for that category from references/ to load the relevant CWEs, detection patterns, and grep expressions
Search the codebase using the patterns from the reference file — use Grep for pattern matching and Glob for file discovery
Read flagged files to confirm findings and get exact line numbers
Record each finding with: file path, line number(s), severity level, CWE, description, evidence (code snippet), and recommended fix

Analyze each category in order:

A01: Broken Access Control

See references/A01-broken-access-control.md for CWEs, detection patterns, and fix examples.

Focus on: missing auth middleware on routes, IDOR (user-controlled IDs without ownership checks), permissive CORS, directory traversal, missing CSRF protection, privilege escalation, force browsing to admin/debug endpoints.

A02: Security Misconfiguration

See references/A02-security-misconfiguration.md.

Focus on: debug mode in production, default credentials, verbose error messages exposing internals, unnecessary features enabled, missing security headers, hardcoded secrets, exposed environment variables.

A03: Software Supply Chain Failures

See references/A03-software-supply-chain-failures.md.

Focus on: known vulnerable dependency versions, unpinned dependencies, CDN scripts without SRI, missing lock files, dependencies from untrusted sources.

A04: Cryptographic Failures

See references/A04-cryptographic-failures.md.

Focus on: weak password hashing (MD5, SHA1), missing salt, hardcoded keys/secrets, weak randomness (Math.random for tokens), cookies missing Secure flag, sensitive data in logs, base64 used as "encryption."

A05: Injection

See references/A05-injection.md.

Focus on: SQL injection (string concatenation in queries), command injection (exec/spawn with user input), XSS (dangerouslySetInnerHTML, innerHTML), eval() with user input, SSRF (fetching user-supplied URLs), template injection.

A06: Insecure Design

See references/A06-insecure-design.md.

Focus on: missing rate limiting on auth endpoints, no input validation, no password complexity requirements, missing account lockout, unrestricted file uploads, guessable/non-expiring tokens.

A07: Authentication Failures

See references/A07-authentication-failures.md.

Focus on: weak/predictable session tokens, sessions that never expire, credentials in logs/URLs, user enumeration via different error messages, reset tokens in API responses, cookies without HttpOnly/Secure/SameSite, hard-coded credentials.

A08: Software or Data Integrity Failures

See references/A08-software-data-integrity-failures.md.

Focus on: eval()/Function() with user input, deserialization of untrusted data, CDN scripts without integrity hashes, mass assignment/prototype pollution, auto-updates without signature verification.

A09: Security Logging and Alerting Failures

See references/A09-security-logging-alerting-failures.md.

Focus on: passwords/tokens/PII in logs, missing audit logging for auth events, no logging on access control failures, error details exposed to users, console.log-only logging without persistence.

A10: Mishandling of Exceptional Conditions

See references/A10-mishandling-exceptional-conditions.md.

Focus on: empty catch blocks, stack traces returned to users, fail-open patterns, missing error handling on async operations, resource leaks on exceptions, missing transaction rollbacks.

Step 4: Generate Report

Get today's date and create the output directory:
```
mkdir -p ./audit/YYYY-MM-DD/
```
Read the report template from references/report-template.md
Fill in the template with all findings from Step 3 and write the completed report to:
```
./audit/YYYY-MM-DD/security-report.md
```
Present a brief summary to the user: total findings by severity, overall risk score, and the top 3 most critical items to address immediately.

Severity Classification

Assign each finding one of these severity levels:

Critical (10 pts): Actively exploitable with immediate data breach risk. Examples: SQL injection, remote code execution, authentication bypass, exposed credentials, command injection.
High (7 pts): Exploitable with moderate effort, significant impact. Examples: XSS, CSRF, weak cryptography, IDOR, SSRF, known vulnerable dependencies.
Medium (4 pts): Requires specific conditions or must be chained with other vulnerabilities. Examples: missing security headers, verbose errors, user enumeration, missing rate limiting.
Low (2 pts): Defense-in-depth issues, best-practice deviations. Examples: weak password policy, console-only logging, missing SRI on CDN scripts.
Info (0 pts): Observations and recommendations with no direct exploit path. Examples: outdated but non-vulnerable dependencies, missing SBOM, code quality notes.

Risk Score

Sum all finding points to calculate the overall risk score:

0–10: Low Risk
11–30: Moderate Risk
31–60: High Risk
61+: Critical Risk

Important Guidelines

Read-only analysis: Never modify any source files in the target project. The audit directory is the only location where files should be written.
Cover all 10 categories: If a category has no findings, still include it in the report with "No issues identified" and note what was checked.
Be specific: Every finding must reference a specific file path and line number(s). Include the actual vulnerable code snippet as evidence.
Provide fixes: Every finding must include an actionable remediation recommendation with a code example showing the fix.
No false positives: Read and understand the code context before flagging. A console.log in a build script is not the same as a console.log leaking passwords in a login handler.
Prioritize: Order the remediation priority section by actual exploitability and impact, not just severity label.

security-scanner

このリポジトリの他の Skills

このリポジトリの他の Skills

Security Scanner — OWASP Top 10:2025

Execution Flow

Step 1: Detect Project Context

Step 2: Reconnaissance

Step 3: Systematic Analysis

A01: Broken Access Control

A02: Security Misconfiguration

A03: Software Supply Chain Failures

A04: Cryptographic Failures

A05: Injection

A06: Insecure Design

A07: Authentication Failures

A08: Software or Data Integrity Failures

A09: Security Logging and Alerting Failures

A10: Mishandling of Exceptional Conditions

Step 4: Generate Report

Severity Classification

Risk Score

Important Guidelines

Security Scanner — OWASP Top 10:2025

Execution Flow

Step 1: Detect Project Context

Step 2: Reconnaissance

Step 3: Systematic Analysis

A01: Broken Access Control

A02: Security Misconfiguration

A03: Software Supply Chain Failures

A04: Cryptographic Failures

A05: Injection

A06: Insecure Design

A07: Authentication Failures

A08: Software or Data Integrity Failures

A09: Security Logging and Alerting Failures

A10: Mishandling of Exceptional Conditions

Step 4: Generate Report

Severity Classification

Risk Score

Important Guidelines