Run any Skill in Manus with one click

confirming-pentest-authorization

Verify that a penetration test has explicit, written, signed authorization before any scanning begins. Reads a Rules-of- Engagement (ROE) attestation file, validates required fields (authorizer, in-scope targets, time window, emergency contact, signature), checks the signer against an allowlist, and emits a CRITICAL finding if anything is missing. Designed as the first skill the orchestrator routes to. Use when: starting a new engagement, after a scope change, or before any cluster 1-4 scan skill runs. Threshold: any missing or unsigned ROE field; any time-window expiry; any in-scope target outside the authorized list. Trigger with: "confirm authorization", "verify ROE", "check pentest authz", "pre-flight authorization".

Run Skill in Manus

Stars2,344

Forks332

UpdatedJune 8, 2026 at 01:18

Source

jeremylongshore

jeremylongshore/claude-code-plugins-plus-skills

View GitHub Repository View Creator Repositories

Install command

Download

Run Skill in Manus

File Explorer

4 files

SKILL.md

readonly

More from this repository

same repository

auditing-npm-dependencies

jeremylongshore/claude-code-plugins-plus-skills

Audit a Node.js project's installed npm dependency tree for known CVEs by wrapping the npm audit JSON output and emitting findings in the canonical penetration-tester schema. Detects direct AND transitive vulnerabilities, normalizes npm's severity scale (info/low/moderate/ high/critical) to the shared Severity enum, and parses both v1 and v2 audit output formats so the skill works against npm 6 and npm 7+ lockfiles. Use when: pre-merge gate on a Node project, post-incident sweep after a transitive package compromise (e.g. event-stream, ua-parser, node-ipc, color.js), SOC2 vendor-management evidence collection, or auditing an inherited or acquired Node codebase. Threshold: any HIGH or CRITICAL CVE in the resolved dependency tree. MODERATE / LOW reported informationally. Trigger with: "audit npm deps", "npm vulnerability scan", "check node packages for CVEs", "npm audit".

2026-06-082.3k

auditing-python-dependencies

jeremylongshore/claude-code-plugins-plus-skills

Audit a Python project's installed dependencies for known CVEs by wrapping pip-audit (PyPA's official vulnerability auditor) and emitting findings in the canonical penetration-tester schema. Detects vulnerable direct AND transitive packages, normalizes pip-audit's severity output via OSV severity bands, falls back to pip list --outdated when pip-audit isn't installed, and supports requirements.txt, pyproject.toml (PEP 621), Pipfile.lock, and poetry.lock as input sources. Use when: pre-merge gate on a Python project, post-incident sweep after a PyPI compromise (e.g. ctx, request-toolbelt typosquats, ultralytics 8.3.42 compromise), SOC2 evidence collection, or inheriting an unfamiliar Python codebase. Threshold: any HIGH or CRITICAL CVE in the resolved dependency tree. MODERATE / LOW reported informationally. Trigger with: "audit python deps", "pip vulnerability scan", "check pypi packages for CVEs", "pip-audit run".

2026-06-082.3k

checking-license-compliance

jeremylongshore/claude-code-plugins-plus-skills

Audit a project's dependency licenses against an explicit policy (allow-list / deny-list / review-required) and flag incompatibilities before they ship to production. Reads SPDX license identifiers from npm package manifests, Python METADATA / PKG-INFO files, and pyproject.toml; classifies each license by family (permissive, weak-copyleft, strong-copyleft, proprietary, unknown); detects copyleft contamination and SPDX-incompatible license combinations. Use when: pre-release legal review, M&A code-audit due diligence, preparing an OSS attribution NOTICE file, or switching a project's own license. Threshold: any GPL-family license in a project declaring MIT or Apache-2.0; any UNKNOWN-license package; any metadata-vs-source license mismatch. Trigger with: "check licenses", "license compliance audit", "SPDX scan", "GPL contamination check".

2026-06-082.3k

composing-vulnerability-report

jeremylongshore/claude-code-plugins-plus-skills

Read findings JSONL files from cluster 1-4 skills, deduplicate by fingerprint, group by severity, and compose a deliverable- grade markdown vulnerability report with per-finding sections (title, severity, target, detail, remediation, evidence) and a top-level summary table. The canonical written artifact a customer receives at engagement close; precise, reproducible, machine- checkable against source findings. Use when: closing an engagement, generating an interim report, regenerating after CVE or OWASP enrichment, or producing the input for generating-executive-summary. Threshold: findings missing required fields are dropped. HIGH and CRITICAL findings highlighted in the summary section. Trigger with: "compose vuln report", "write pentest report", "generate vulnerability deliverable", "render findings to report".

2026-06-082.3k

defining-pentest-scope

jeremylongshore/claude-code-plugins-plus-skills

Parse the ROE scope definition, enumerate every in-scope target (hostnames, IPs, CIDRs, URLs, cloud accounts, SaaS tenants), validate syntax, detect overlap with out-of-scope or known third-party SaaS ranges, and emit a normalized target list plus IP allowlist for scanning tools. Runs after confirming-pentest- authorization and before any cluster 1-4 scan. Use when: starting an engagement, expanding scope mid-engagement, validating that a target list matches the ROE, or generating an allowlist for an external scanner. Threshold: malformed syntax, in-scope overlap with out-of-scope, reserved or third-party SaaS ranges without acknowledgement. Trigger with: "define scope", "enumerate targets", "validate target list", "generate IP allowlist".

2026-06-082.3k

generating-executive-summary

jeremylongshore/claude-code-plugins-plus-skills

Compose an exec-readable summary from a unified findings JSONL plus the OWASP coverage report. Computes a single engagement risk score (0-100, severity-weighted with OWASP-breadth and governance terms), rolls up findings into headline counts, names the top-3 remediation priorities with effort + impact estimates, and produces a 1-2 page markdown document for a C-level or board audience. Elides technical detail; the vulnerability report is the deep document. Use when: closing an engagement, preparing the exec-readout meeting, packaging for board review, or producing a one-page narrative for auditor / insurer / board. Threshold: input findings missing produces CRITICAL operational finding; otherwise the deliverable is the document itself. Trigger with: "generate exec summary", "executive summary", "C-level readout", "board pentest summary".

2026-06-082.3k

name	confirming-pentest-authorization
description	Verify that a penetration test has explicit, written, signed authorization before any scanning begins. Reads a Rules-of- Engagement (ROE) attestation file, validates required fields (authorizer, in-scope targets, time window, emergency contact, signature), checks the signer against an allowlist, and emits a CRITICAL finding if anything is missing. Designed as the first skill the orchestrator routes to. Use when: starting a new engagement, after a scope change, or before any cluster 1-4 scan skill runs. Threshold: any missing or unsigned ROE field; any time-window expiry; any in-scope target outside the authorized list. Trigger with: "confirm authorization", "verify ROE", "check pentest authz", "pre-flight authorization".
allowed-tools	["Read","Bash(python3:*)","Glob"]
disallowed-tools	["Bash(rm:)","Bash(curl:)","Bash(wget:)","Bash(nmap:)","Bash(nikto:)","Bash(sqlmap:)","Write(.env)","Edit(.env)"]
version	3.0.0-dev
author	Jeremy Longshore <jeremy@intentsolutions.io>
license	MIT
compatibility	Designed for Claude Code
tags	["security","engagement-governance","authorization","roe","pentest"]

Confirming Pentest Authorization

Overview

Penetration testing is computer access. Without explicit authorization from the owner of the system under test, that access is a crime — Computer Fraud and Abuse Act in the US, Computer Misuse Act in the UK, equivalent laws everywhere else. The line between an authorized pentester and an unauthorized attacker is one signature on one document.

The penetration-tester pack's other skills (TLS analysis, CORS audit, dependency CVE scan, etc.) all assume that line has been crossed correctly. This skill is the first gate the orchestrator routes to. It refuses to declare an engagement authorized until a Rules of Engagement (ROE) attestation file exists, is signed, and contains the fields any real-world legal review will look for.

This is not paranoia or paperwork theater. Engagements DO go sideways: scope creeps mid-test, a tester probes an out-of-scope adjacent system, an SOC team escalates a "real" attack to legal, and the question "show us the ROE" comes up. If the ROE is in order, the answer is "here it is." If not, the conversation gets expensive fast.

When the skill produces findings

Finding	Severity	Threshold	Affected control
ROE file missing	CRITICAL	No attestation file at the expected path	(legal)
Required field missing	CRITICAL	authorizer, in_scope_targets, time_window, emergency_contact, or signature absent	(legal)
Signature missing	CRITICAL	No signature_block in ROE	(legal)
Signer not in allowlist	CRITICAL	signer email/key id not in `.allowed-authorizers`	(legal)
Time window expired	HIGH	current time outside `time_window.start` / `time_window.end`	(legal)
Time window not yet active	HIGH	current time before `time_window.start`	(legal)
In-scope target list empty	HIGH	`in_scope_targets` field present but empty	(legal)
Out-of-scope override (manual flag)	MEDIUM	tester requests a target not in the in-scope list	(legal)
Stale ROE (>30 days from sign date)	MEDIUM	last_signed_at older than 30 days; suggests refresh	(operational)
ROE present + signed + in window	INFO	All gates pass; engagement is authorized	(positive confirmation)

Prerequisites

Python 3.9+
ROE attestation file at ./roe.yaml (or pass --roe FILE).
Optional .allowed-authorizers file listing email addresses or GPG key fingerprints permitted to sign ROEs.

ROE attestation file schema

engagement_id: ACME-2026-Q2-PENTEST-001
authorizer:
  name: Jane Doe
  email: jane.doe@acme.example
  role: CISO
  organization: ACME Corp
in_scope_targets:
  - host: app.acme.example
    notes: production web app, full-stack pentest authorized
  - host: api.acme.example
  - cidr: 10.50.0.0/16
    notes: internal corporate range
out_of_scope_targets:
  - host: payments.acme.example
    reason: PCI scope, separate authz required
  - cidr: 10.99.0.0/16
    reason: production database tier, separate authz required
time_window:
  start: 2026-06-01T00:00:00Z
  end: 2026-06-30T23:59:59Z
emergency_contact:
  name: SOC On-Call
  phone: "+1-555-555-5555"
  email: soc@acme.example
rules:
  - No exploitation of confirmed findings without written prompt approval
  - No password cracking against production accounts
  - All testing pauses on declared business-hours blackouts
signature_block:
  signer: jane.doe@acme.example
  signed_at: 2026-05-30T14:22:00Z
  signature: |
    -----BEGIN PGP SIGNATURE-----
    ...
    -----END PGP SIGNATURE-----

Instructions

Step 1 — Locate the ROE

The skill looks for ./roe.yaml by default. Override with --roe FILE. The ROE file should live with the engagement artifacts, NOT in the repo under test — typical layout is engagements/<client>-<date>/roe.yaml.

Step 2 — Run the verification

python3 ./scripts/check_authorization.py --roe engagements/acme-2026-q2/roe.yaml

Options:

Usage: check_authorization.py [OPTIONS]

Options:
  --roe FILE              Path to ROE attestation YAML (default: ./roe.yaml)
  --allowed FILE          Path to allowed-authorizers list (default: .allowed-authorizers)
  --check-target HOST     Verify HOST is in the in-scope list (repeatable)
  --output FILE           Write findings to FILE
  --format FMT            json | jsonl | markdown (default: markdown)
  --min-severity SEV      Default info

Step 3 — Interpret findings

CRITICAL = engagement is NOT authorized. Halt all testing immediately. Resolve the missing requirement before any further skill runs.

HIGH = the engagement was authorized at some point but the current state is out-of-window. Either extend the time window with a new signature or wait.

MEDIUM = operational concerns that warrant attention but don't block testing. A stale ROE should be refreshed; a manual out-of-scope target request needs explicit additional authz.

INFO = positive confirmation that the engagement is authorized.

Step 4 — Save the result

The skill's output IS the authorization record. Save the markdown report alongside the ROE itself; it becomes part of the engagement evidence chain (see recording-pentest-engagement for the storage pattern).

Examples

Example 1 — Pre-flight check before any scan

python3 ./scripts/check_authorization.py --roe engagements/acme-2026-q2/roe.yaml --format markdown
# If exit code != 0, halt testing.

Example 2 — Confirm a specific target is in-scope before probing

python3 ./scripts/check_authorization.py \
    --roe engagements/acme-2026-q2/roe.yaml \
    --check-target app.acme.example \
    --check-target api.acme.example

The skill returns an explicit INFO Finding per target if all checks pass, and a HIGH/CRITICAL Finding per target if any are out-of-scope.

Example 3 — Generate authorization evidence for the audit trail

python3 ./scripts/check_authorization.py --roe engagements/acme-2026-q2/roe.yaml \
    --format json \
    --output engagements/acme-2026-q2/evidence/authz-check-$(date +%Y%m%d).json

Output

JSON / JSONL / Markdown per lib/report.py. Exit codes: 0 clean, 1 high/critical (engagement NOT authorized), 2 error.

Each Finding includes:

id — authz::<field> or authz::target::<target>
severity — CRITICAL / HIGH / MEDIUM / INFO
category — engagement-authorization
summary — what's missing or wrong
evidence — engagement_id, authorizer email, time window, target

Error Handling

ROE file not found → emits a CRITICAL finding and exits 1.
Unparseable YAML → emits a CRITICAL finding with the parser error and exits 2.
Allowed-authorizers file missing → emits an INFO finding (allowlist is recommended but not required) and proceeds with field-level verification only.
Signature block present but unparseable → emits a CRITICAL finding flagging the issue; does NOT attempt to verify cryptographically (separate gpg --verify step recommended for signature validation; this skill validates the structural presence and signer-identity claim).

Resources

references/THEORY.md — Why pentest authorization is a legal primitive (CFAA, CMA, equivalent statutes), ROE structure history (OSSTMM / PTES origins), signature options (PGP / S/MIME / DocuSign), scope-creep failure modes
references/PLAYBOOK.md — ROE templates per engagement type (external pentest, internal pentest, red team, purple team), authorization escalation flow, time-window extension procedures, emergency-stop protocol