원클릭으로 Manus에서 모든 스킬 실행

$pwd:

detecting-sql-injection-patterns

Name: Detecting Sql Injection Patterns
Author: jeremylongshore

// Scan a source tree for SQL-injection vulnerable patterns: string concatenation into queries, f-string interpolation in SQL, string-format substitution into raw queries, deprecated cursor methods (cursor.execute with % formatting), Knex / Sequelize raw() with template interpolation, sequelize.query with replacements. Use when: pre-commit code review, post-feature SQL-touching release, inheriting a legacy codebase that predates ORMs, or post-bug-report investigation. Threshold: any source line where SQL keywords (SELECT / INSERT / UPDATE / DELETE / FROM / WHERE) appear in a string that's being built via concatenation, f-string, %-format, or .format() with variable input. Trigger with: "scan for sqli", "sql injection patterns", "check raw queries", "audit cursor.execute".

Manus에서 실행

$ git log --oneline --stat

stars:2,267

forks:315

updated:2026년 5월 31일 04:18

파일 탐색기

4 개 파일

SKILL.md

readonly

name	detecting-sql-injection-patterns
description	Scan a source tree for SQL-injection vulnerable patterns: string concatenation into queries, f-string interpolation in SQL, string-format substitution into raw queries, deprecated cursor methods (cursor.execute with % formatting), Knex / Sequelize raw() with template interpolation, sequelize.query with replacements. Use when: pre-commit code review, post-feature SQL-touching release, inheriting a legacy codebase that predates ORMs, or post-bug-report investigation. Threshold: any source line where SQL keywords (SELECT / INSERT / UPDATE / DELETE / FROM / WHERE) appear in a string that's being built via concatenation, f-string, %-format, or .format() with variable input. Trigger with: "scan for sqli", "sql injection patterns", "check raw queries", "audit cursor.execute".
allowed-tools	["Read","Bash(python3:*)","Glob","Grep"]
disallowed-tools	["Bash(rm:)","Bash(curl:)"]
version	3.0.0-dev
author	Jeremy Longshore <jeremy@intentsolutions.io>
license	MIT
compatibility	Designed for Claude Code
tags	["security","static-analysis","sql-injection","pentest"]

Detecting SQL Injection Patterns

Overview

SQL injection (CWE-89, OWASP A03:2021) remains one of the highest- impact and most-easily-introduced vulnerability classes. The fix is near-universal: use parameterized queries. The cause when introduced: an engineer concatenates user input into a SQL string because the ORM's parameterization mechanism wasn't obvious, or because they "just need to add a quick condition."

The scanner reads source files and grades each apparent SQL-string construction against the threshold table.

When the skill produces findings

Finding	Severity	Threshold	Affected control
f-string with SQL keywords + user input	CRITICAL	`f"SELECT * FROM users WHERE id = {user_id}"`	CWE-89
String concat into SQL keyword string	CRITICAL	`"SELECT ... " + var + " ..."`	CWE-89
%-format SQL string	HIGH	`"SELECT * FROM %s" % table_name`	CWE-89
`.format()` into SQL string	HIGH	`"SELECT {} FROM users".format(col)`	CWE-89
`cursor.execute(f"...")`	CRITICAL	f-string passed directly to cursor.execute	CWE-89
`sequelize.query` with template literal	HIGH	`sequelize.query(\`SELECT * FROM ${table}`)`	CWE-89
Knex / sequelize raw() with interpolation	HIGH	`knex.raw('SELECT * FROM ' + table)`	CWE-89
Django `.extra()` with raw SQL	MEDIUM	`Model.objects.extra(where=['col = ' + val])`	CWE-89
`cursor.executemany` with string-built query	CRITICAL	Same risk as execute	CWE-89
JDBC `Statement.execute` with concat	HIGH	Java pattern: not PreparedStatement	CWE-89
Rails `where()` with string interpolation	HIGH	`User.where("name = '#{name}'")`	CWE-89
Go `db.Query` with `fmt.Sprintf`	HIGH	`db.Query(fmt.Sprintf("...", arg))`	CWE-89

Prerequisites

Python 3.9+
Target source tree on local filesystem

Instructions

Step 1 — Run the scanner

python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-sql-injection-patterns/scripts/scan_sqli.py /path/to/repo

Options:

Usage: scan_sqli.py PATH [OPTIONS]

Options:
  --output FILE      Write findings to FILE
  --format FMT       json | jsonl | markdown (default: markdown)
  --min-severity SEV (default: info)
  --include-tests    Include test directories (default: excluded)
  --languages LIST   Comma-separated: python,javascript,typescript,java,
                     ruby,go,php,csharp (default: all)

Step 2 — Interpret findings

CRITICAL = direct user-input → query string construction. Fix the specific query AND audit nearby code for the same pattern.

HIGH = pattern suggests interpolation but might be a fixed identifier (table/column name). Verify by reading the code.

MEDIUM = framework-specific pattern that's safe ONLY with strict input validation (Django .extra(), Rails string where()).

Step 3 — Remediation

For each finding, the fix is the same shape per language: use the language/library's parameterized-query API. See references/PLAYBOOK.md for per-language snippets.

Step 4 — Cross-skill chaining

Consider running scanning-for-hardcoded-secrets (#10) on the same target — same audit, different class of finding.

Examples

Example 1 — Pre-merge code review

python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-sql-injection-patterns/scripts/scan_sqli.py \
    --min-severity high $(git diff --name-only main...HEAD | tr '\n' ' ')

Scans only files changed in the current branch — fast feedback for PR review.

Example 2 — Legacy codebase audit

python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-sql-injection-patterns/scripts/scan_sqli.py \
    /path/to/legacy-app --format markdown > sqli-audit.md

Expect dozens to hundreds of findings on a pre-ORM Java/PHP codebase. Prioritize by reachability: the queries reached from public endpoints first.

Output

JSON / JSONL / Markdown. Exit codes: 0 clean, 1 high/critical, 2 error.

Error Handling

False positives on fixed-identifier interpolation (e.g., f"SELECT * FROM {tablename}" where tablename is hardcoded) → verify manually. The scanner can't reason about variable provenance without a full AST + control-flow pass.
String-built dynamic-table queries are sometimes legitimate (multi-tenant routing). Flag and review; the fix is usually allow-list validation + identifier quoting.

Resources

references/THEORY.md — Per-language interpolation patterns, ORM-specific safe vs unsafe APIs, why prepared statements work
references/PLAYBOOK.md — Per-language parameterization snippets (Python sqlite3 + psycopg + SQLAlchemy, Node mysql2 + pg + knex
- sequelize, Ruby ActiveRecord, Go database/sql, Java JDBC PreparedStatement, PHP PDO)

related-skills.json

같은 저장소

detecting-command-injection-patterns.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source tree for command-injection vulnerable patterns: shell=True calls in Python subprocess, os.system / os.popen with interpolated strings, Node child_process.exec with template literals, Ruby backticks / Kernel#system / Kernel#exec with interpolation, Go exec.Command with shell wrapping, PHP system / passthru / shell_exec / backticks with $-interpolation, Java Runtime.exec with concatenated args. Use when: pre-commit gate on code that calls out to shell utilities, audit of file-processing / archive-handling / image-conversion code, post-bug-report investigation for "we shell out to a tool." Threshold: any shell-invocation API called with a string that contains a variable interpolation, OR shell=True with anything other than a fixed literal. Trigger with: "scan command injection", "shell=True audit", "find exec calls", "check os.system".

2026-05-312.3k

detecting-eval-exec-usage.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source tree for dynamic-code-execution APIs that an attacker can hijack: Python eval / exec / compile, JavaScript eval / Function() / setTimeout(string), Ruby eval / instance_eval / class_eval, Java ScriptEngine, PHP eval / assert($str), .NET Activator.CreateInstance / Reflection.Emit with dynamic input. Use when: pre-commit gate on any application that parses user-uploaded code (rule engines, formula evaluators, plugin systems), or post-bug-report when "we run user-supplied expressions." Threshold: any call to eval / exec / Function / similar where the argument is not a string literal. Trigger with: "scan eval", "find dynamic exec", "audit eval calls", "code injection patterns".

2026-05-312.3k

detecting-insecure-deserialization.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source tree for unsafe-by-default deserialization APIs: Python pickle.loads / cPickle / shelve / dill, Ruby Marshal.load / YAML.load (pre-3.1 default), Java ObjectInputStream.readObject, PHP unserialize, .NET BinaryFormatter / NetDataContractSerializer, Node.js node-serialize, JavaScript JSON.parse with reviver containing eval. Use when: pre-commit gate on services that accept binary blobs, audit of legacy job-queue code (workers deserializing tasks), post-bug-report when "we accept user-uploaded archives." Threshold: any call to a known-unsafe deserialization API on data that originates from user input, network, file upload, or untrusted storage. Trigger with: "scan deserialization", "pickle audit", "java readObject scan", "yaml.load check".

2026-05-312.3k

detecting-weak-cryptography.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source tree for weak cryptographic primitives: MD5 / SHA-1 used for security purposes, DES / 3DES / RC4 ciphers, ECB block mode, custom-built crypto (XOR loops, hand-rolled HMAC), hardcoded IVs, predictable random (Math.random / java.util.Random for crypto seeds), missing certificate verification (verify=False, rejectUnauthorized: false). Use when: pre-merge gate on crypto-touching code, audit before SOC2 / PCI assessment, post-incident review when "we found a weakness in our token signing." Threshold: any call to a known-weak algorithm with non-test context, OR cert verification explicitly disabled, OR a custom crypto loop pattern. Trigger with: "scan weak crypto", "find MD5 usage", "check ECB mode", "audit ssl verify", "weak random".

2026-05-312.3k

scanning-for-hardcoded-secrets.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source-code tree for hardcoded credentials embedded in source files: AWS access keys, GitHub tokens, Stripe keys, Slack tokens, Anthropic API keys, OpenAI keys, JWT signing secrets, generic base64-encoded passwords, RSA / SSH private keys, and high-entropy string literals that pattern-match common credential shapes. Use when: pre-commit gate before pushing a feature branch, audit before SOC2, post-incident scan after a leak, or inheriting a codebase you didn't write. Threshold: any source file contains a string that matches a canonical credential regex (AWS AKIA prefix, GitHub ghp_ prefix, etc.) OR a string with Shannon entropy above 4.5 in a field context (key=, token:, secret=). Trigger with: "scan secrets", "credential scan", "find hardcoded keys", "leak check".

2026-05-312.3k

detecting-directory-listing.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Probe a target for directories that return auto-generated index listings instead of denying or serving a specific file — exposes the full file tree under any reachable directory, including files the application never linked to. Use when: post-deploy verification on a static-asset host, security audit before SOC2, or following up on a finding from skill #6 (exposed-files) where a backup-file path returned 200 with HTML body instead of the expected file content (suggests autoindex serving a directory listing). Threshold: any directory-shaped path returns 200 with HTML body matching the framework-specific autoindex fingerprint (nginx fancyindex, Apache mod_autoindex Index of/, Caddy browse, Lighttpd mod_dirlisting, etc.). Trigger with: "directory listing check", "autoindex detection", "open directory scan".

2026-05-312.3k

package.json

"author": "jeremylongshore"

"repository": "jeremylongshore/claude-code-plugins-plus-skills"

GitHub 저장소 열기 Creator 저장소 보기

$ install --global

$ download --local

Manus에서 실행

$ useful --forSOC

정보 보안 분석가컴퓨터 및 수학직15-1212L4

name	detecting-sql-injection-patterns
description	Scan a source tree for SQL-injection vulnerable patterns: string concatenation into queries, f-string interpolation in SQL, string-format substitution into raw queries, deprecated cursor methods (cursor.execute with % formatting), Knex / Sequelize raw() with template interpolation, sequelize.query with replacements. Use when: pre-commit code review, post-feature SQL-touching release, inheriting a legacy codebase that predates ORMs, or post-bug-report investigation. Threshold: any source line where SQL keywords (SELECT / INSERT / UPDATE / DELETE / FROM / WHERE) appear in a string that's being built via concatenation, f-string, %-format, or .format() with variable input. Trigger with: "scan for sqli", "sql injection patterns", "check raw queries", "audit cursor.execute".
allowed-tools	["Read","Bash(python3:*)","Glob","Grep"]
disallowed-tools	["Bash(rm:)","Bash(curl:)"]
version	3.0.0-dev
author	Jeremy Longshore <jeremy@intentsolutions.io>
license	MIT
compatibility	Designed for Claude Code
tags	["security","static-analysis","sql-injection","pentest"]

Detecting SQL Injection Patterns

Overview

The scanner reads source files and grades each apparent SQL-string construction against the threshold table.

When the skill produces findings

Finding	Severity	Threshold	Affected control
f-string with SQL keywords + user input	CRITICAL	`f"SELECT * FROM users WHERE id = {user_id}"`	CWE-89
String concat into SQL keyword string	CRITICAL	`"SELECT ... " + var + " ..."`	CWE-89
%-format SQL string	HIGH	`"SELECT * FROM %s" % table_name`	CWE-89
`.format()` into SQL string	HIGH	`"SELECT {} FROM users".format(col)`	CWE-89
`cursor.execute(f"...")`	CRITICAL	f-string passed directly to cursor.execute	CWE-89
`sequelize.query` with template literal	HIGH	`sequelize.query(\`SELECT * FROM ${table}`)`	CWE-89
Knex / sequelize raw() with interpolation	HIGH	`knex.raw('SELECT * FROM ' + table)`	CWE-89
Django `.extra()` with raw SQL	MEDIUM	`Model.objects.extra(where=['col = ' + val])`	CWE-89
`cursor.executemany` with string-built query	CRITICAL	Same risk as execute	CWE-89
JDBC `Statement.execute` with concat	HIGH	Java pattern: not PreparedStatement	CWE-89
Rails `where()` with string interpolation	HIGH	`User.where("name = '#{name}'")`	CWE-89
Go `db.Query` with `fmt.Sprintf`	HIGH	`db.Query(fmt.Sprintf("...", arg))`	CWE-89

Prerequisites

Python 3.9+
Target source tree on local filesystem

Instructions

Step 1 — Run the scanner

python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-sql-injection-patterns/scripts/scan_sqli.py /path/to/repo

Options:

Usage: scan_sqli.py PATH [OPTIONS]

Options:
  --output FILE      Write findings to FILE
  --format FMT       json | jsonl | markdown (default: markdown)
  --min-severity SEV (default: info)
  --include-tests    Include test directories (default: excluded)
  --languages LIST   Comma-separated: python,javascript,typescript,java,
                     ruby,go,php,csharp (default: all)

Step 2 — Interpret findings

CRITICAL = direct user-input → query string construction. Fix the specific query AND audit nearby code for the same pattern.

HIGH = pattern suggests interpolation but might be a fixed identifier (table/column name). Verify by reading the code.

MEDIUM = framework-specific pattern that's safe ONLY with strict input validation (Django .extra(), Rails string where()).

Step 3 — Remediation

For each finding, the fix is the same shape per language: use the language/library's parameterized-query API. See references/PLAYBOOK.md for per-language snippets.

Step 4 — Cross-skill chaining

Consider running scanning-for-hardcoded-secrets (#10) on the same target — same audit, different class of finding.

Examples

Example 1 — Pre-merge code review

python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-sql-injection-patterns/scripts/scan_sqli.py \
    --min-severity high $(git diff --name-only main...HEAD | tr '\n' ' ')

Scans only files changed in the current branch — fast feedback for PR review.

Example 2 — Legacy codebase audit

python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-sql-injection-patterns/scripts/scan_sqli.py \
    /path/to/legacy-app --format markdown > sqli-audit.md

Expect dozens to hundreds of findings on a pre-ORM Java/PHP codebase. Prioritize by reachability: the queries reached from public endpoints first.

Output

JSON / JSONL / Markdown. Exit codes: 0 clean, 1 high/critical, 2 error.

Error Handling

False positives on fixed-identifier interpolation (e.g., f"SELECT * FROM {tablename}" where tablename is hardcoded) → verify manually. The scanner can't reason about variable provenance without a full AST + control-flow pass.
String-built dynamic-table queries are sometimes legitimate (multi-tenant routing). Flag and review; the fix is usually allow-list validation + identifier quoting.

Resources

references/THEORY.md — Per-language interpolation patterns, ORM-specific safe vs unsafe APIs, why prepared statements work
references/PLAYBOOK.md — Per-language parameterization snippets (Python sqlite3 + psycopg + SQLAlchemy, Node mysql2 + pg + knex
- sequelize, Ruby ActiveRecord, Go database/sql, Java JDBC PreparedStatement, PHP PDO)

detecting-sql-injection-patterns

Detecting SQL Injection Patterns

Overview

When the skill produces findings

Prerequisites

Instructions

Step 1 — Run the scanner

Step 2 — Interpret findings

Step 3 — Remediation

Step 4 — Cross-skill chaining

Examples

Example 1 — Pre-merge code review

Example 2 — Legacy codebase audit

Output

Error Handling

Resources

이 저장소의 다른 Skills

이 저장소의 다른 Skills

Detecting SQL Injection Patterns

Overview

When the skill produces findings

Prerequisites

Instructions

Step 1 — Run the scanner

Step 2 — Interpret findings

Step 3 — Remediation

Step 4 — Cross-skill chaining

Examples

Example 1 — Pre-merge code review

Example 2 — Legacy codebase audit

Output

Error Handling

Resources