Run any Skill in Manus with one click

$pwd:

security-audit

Name: Security Audit
Author: blueberrycongee

// Security audit skill. Use when asked to "audit security", "check for vulnerabilities", "security review", "pentest", or when evaluating code that handles auth, user input, secrets, or external data. Runs a phased scan covering OWASP Top 10 and STRIDE threat modeling.

Run Skill in Manus

$ git log --oneline --stat

stars:303

forks:21

updated:March 31, 2026 at 07:36

SKILL.md

readonly

name	security-audit
description	Security audit skill. Use when asked to "audit security", "check for vulnerabilities", "security review", "pentest", or when evaluating code that handles auth, user input, secrets, or external data. Runs a phased scan covering OWASP Top 10 and STRIDE threat modeling.

Security Audit

Phased security scan. Each phase is independent — skip phases that do not apply to the codebase.

Phase 1: Scope

Identify the attack surface: what accepts external input? (HTTP endpoints, CLI args, file uploads, WebSocket messages, IPC, environment variables)
Identify trust boundaries: where does data cross from untrusted to trusted?
List authentication and authorization mechanisms in use
Note the deployment model (server, serverless, desktop, CLI)

Phase 2: Input Validation

For each entry point identified in Phase 1:

Is user input validated and sanitized before use?
Are SQL queries parameterized (not string-interpolated)?
Is HTML output escaped to prevent XSS?
Are file paths validated to prevent path traversal?
Are file uploads constrained by type and size?
Is deserialization of untrusted data avoided or sandboxed?

Phase 3: Auth and Session

Are all protected routes/endpoints checked for authentication?
Is authorization checked per-resource, not just per-route?
Are session tokens generated with sufficient entropy?
Are tokens stored securely (httpOnly, secure, sameSite)?
Is there rate limiting on login/auth endpoints?
Are password reset flows safe from enumeration?

Phase 4: Secrets

grep -r for common secret patterns in source (API keys, tokens, passwords, connection strings) — exclude node_modules, .git, lock files
Check git log --all -p -S "password\|secret\|api_key\|token" for secrets that were committed and later removed (they are still in history)
Verify .gitignore covers .env, credential files, and key material
Check that secrets are not logged, included in error responses, or exposed in client-side bundles

Phase 5: Dependencies

Check for known vulnerabilities: npm audit / pip audit / equivalent
Look for unmaintained dependencies (no updates in 2+ years)
Check that lockfiles are committed and dependencies are pinned

Phase 6: CI/CD

If CI/CD config exists (.github/workflows/, .gitlab-ci.yml, etc.):

Are third-party actions/images pinned to SHA, not floating tags?
Does pull_request_target grant write access to untrusted PRs?
Are secrets available only to the workflows that need them?
Can a malicious PR modify CI config to exfiltrate secrets?

Phase 7: STRIDE Threat Model

For each component identified in Phase 1, evaluate:

Spoofing — Can an attacker impersonate a legitimate user or service?
Tampering — Can data be modified in transit or at rest without detection?
Repudiation — Are security-relevant actions logged with enough detail for audit?
Information Disclosure — Can sensitive data leak through errors, logs, or side channels?
Denial of Service — Are there unbounded operations an attacker can trigger?
Elevation of Privilege — Can a low-privilege user reach admin functionality?

Phase 8: Report

For each finding:

Severity: Critical / High / Medium / Low / Informational
Location: file path and line range
Description: what the vulnerability is
Impact: what an attacker could do
Recommendation: specific fix, not generic advice

Rules

Only report findings you can point to in the code — no hypotheticals
If a finding requires a specific runtime condition to exploit, state the condition
Do not report style issues, linting violations, or non-security code quality as security findings
Distinguish between confirmed vulnerabilities and potential risks

related-skills.json

same repository

code-review.md

from "blueberrycongee/termcanvas"

Structured code review skill. Use when asked to "review this code", "review this PR", "check this diff", or when acting as a Hydra reviewer. Runs a multi-pass review with specialist focus areas and confidence-gated findings.

2026-04-12303

qa.md

from "blueberrycongee/termcanvas"

QA testing skill with real browser automation. Use when asked to "test this site", "QA this page", "check for visual bugs", "verify the deploy", or when Hydra needs browser validation for UI changes. Requires the browse binary.

2026-04-12303

using-termcanvas.md

from "blueberrycongee/termcanvas"

Use when starting work in a TermCanvas-managed repo to route between direct work, Hydra, or a narrow TermCanvas skill.

2026-04-12303

hydra.md

from "blueberrycongee/termcanvas"

Use when a task should run through Hydra's Lead-driven workflow for multi-agent orchestration, or when an existing workflow must be inspected or cleaned up.

2026-04-11303

challenge.md

from "blueberrycongee/termcanvas"

Adversarial review skill. Use when the user wants to stress-test an idea, argument, proposal, or opinion from multiple independent angles. Spawns parallel Hydra workers with orthogonal analytical methodologies.

2026-04-08303

investigate.md

from "blueberrycongee/termcanvas"

Systematic debugging skill. Use when encountering a bug, test failure, unexpected behavior, or when asked to "investigate", "debug", "diagnose", or "figure out why". Enforces root-cause-first discipline with structured hypothesis tracking.

2026-03-31303

package.json

"author": "blueberrycongee"

"repository": "blueberrycongee/termcanvas"

View GitHub Repository View Creator Repositories

$ install --global

$ download --local

Run Skill in Manus

$ useful --forSOC

Information Security AnalystsComputer and Mathematical Occupations15-1212L4

name	security-audit
description	Security audit skill. Use when asked to "audit security", "check for vulnerabilities", "security review", "pentest", or when evaluating code that handles auth, user input, secrets, or external data. Runs a phased scan covering OWASP Top 10 and STRIDE threat modeling.

Security Audit

Phased security scan. Each phase is independent — skip phases that do not apply to the codebase.

Phase 1: Scope

Identify the attack surface: what accepts external input? (HTTP endpoints, CLI args, file uploads, WebSocket messages, IPC, environment variables)
Identify trust boundaries: where does data cross from untrusted to trusted?
List authentication and authorization mechanisms in use
Note the deployment model (server, serverless, desktop, CLI)

Phase 2: Input Validation

For each entry point identified in Phase 1:

Is user input validated and sanitized before use?
Are SQL queries parameterized (not string-interpolated)?
Is HTML output escaped to prevent XSS?
Are file paths validated to prevent path traversal?
Are file uploads constrained by type and size?
Is deserialization of untrusted data avoided or sandboxed?

Phase 3: Auth and Session

Are all protected routes/endpoints checked for authentication?
Is authorization checked per-resource, not just per-route?
Are session tokens generated with sufficient entropy?
Are tokens stored securely (httpOnly, secure, sameSite)?
Is there rate limiting on login/auth endpoints?
Are password reset flows safe from enumeration?

Phase 4: Secrets

grep -r for common secret patterns in source (API keys, tokens, passwords, connection strings) — exclude node_modules, .git, lock files
Check git log --all -p -S "password\|secret\|api_key\|token" for secrets that were committed and later removed (they are still in history)
Verify .gitignore covers .env, credential files, and key material
Check that secrets are not logged, included in error responses, or exposed in client-side bundles

Phase 5: Dependencies

Check for known vulnerabilities: npm audit / pip audit / equivalent
Look for unmaintained dependencies (no updates in 2+ years)
Check that lockfiles are committed and dependencies are pinned

Phase 6: CI/CD

If CI/CD config exists (.github/workflows/, .gitlab-ci.yml, etc.):

Are third-party actions/images pinned to SHA, not floating tags?
Does pull_request_target grant write access to untrusted PRs?
Are secrets available only to the workflows that need them?
Can a malicious PR modify CI config to exfiltrate secrets?

Phase 7: STRIDE Threat Model

For each component identified in Phase 1, evaluate:

Spoofing — Can an attacker impersonate a legitimate user or service?
Tampering — Can data be modified in transit or at rest without detection?
Repudiation — Are security-relevant actions logged with enough detail for audit?
Information Disclosure — Can sensitive data leak through errors, logs, or side channels?
Denial of Service — Are there unbounded operations an attacker can trigger?
Elevation of Privilege — Can a low-privilege user reach admin functionality?

Phase 8: Report

For each finding:

Severity: Critical / High / Medium / Low / Informational
Location: file path and line range
Description: what the vulnerability is
Impact: what an attacker could do
Recommendation: specific fix, not generic advice

Rules

Only report findings you can point to in the code — no hypotheticals
If a finding requires a specific runtime condition to exploit, state the condition
Do not report style issues, linting violations, or non-security code quality as security findings
Distinguish between confirmed vulnerabilities and potential risks

security-audit

Security Audit

Phase 1: Scope

Phase 2: Input Validation

Phase 3: Auth and Session

Phase 4: Secrets

Phase 5: Dependencies

Phase 6: CI/CD

Phase 7: STRIDE Threat Model

Phase 8: Report

Rules

More from this repository

More from this repository

Security Audit

Phase 1: Scope

Phase 2: Input Validation

Phase 3: Auth and Session

Phase 4: Secrets

Phase 5: Dependencies

Phase 6: CI/CD

Phase 7: STRIDE Threat Model

Phase 8: Report

Rules