一键在 Manus 中运行任何 Skill

pentest-supply-chain

星标284

分支55

更新时间2026年2月11日 09:17

Software supply chain security — dependency confusion, CI/CD pipeline attacks, lockfile integrity, and build artifact verification.

安装

用 Codex 或 Claude 帮你安装复制这段 Prompt，粘贴到 Codex、Claude 或其他助手里，让它检查 Skill 页面并帮你完成安装。

在 Manus 中运行

来源

jd-opensource

jd-opensource/JoySafeter

打开 GitHub 仓库查看创作者相关仓库

下载

在 Manus 中运行

Pentest Supply Chain

Purpose

Supply chain attacks (SolarWinds, Log4Shell, xz-utils) are the fastest-growing threat category. Shannon explicitly excludes "vulnerable third-party libraries." MITRE ATT&CK T1195 has zero coverage in any existing skill.

Prerequisites

Authorization Requirements

Written authorization with supply chain testing scope
Repository access for dependency and CI/CD analysis
Registry awareness — confirm which private registries are in use
Build system access for pipeline review (if white-box)

Environment Setup

Snyk CLI for dependency vulnerability scanning
npm audit / pip-audit for ecosystem-specific checks
Trivy for container and filesystem scanning
socket.dev for dependency risk analysis

Core Workflow

Dependency Audit: Analyze package.json/requirements.txt/go.mod for known vulnerable versions, unmaintained packages, suspicious dependencies.
Dependency Confusion: Check if internal package names can be claimed on public registries (npm, PyPI). Test namespace squatting.
CI/CD Pipeline Security: Review GitHub Actions/GitLab CI for injection via PR titles/branch names, secrets in logs, unpinned action versions, runner escape.
Build Artifact Integrity: Verify signatures on containers/packages, check for unsigned artifacts, test image tag mutability.
Lockfile Integrity: Detect lockfile injection (manipulated resolved URLs), verify lockfile-to-manifest consistency.
Install Script Abuse: Identify packages with install hooks executing arbitrary code, test typosquatting candidates.
SBOM Generation: Generate Software Bill of Materials and map transitive dependency risk with CVE correlation.

Tool Categories

Category	Tools	Purpose
Dependency Scanning	Snyk, npm audit, pip-audit	Known CVE detection
Container Scanning	Trivy, Grype	Image vulnerability analysis
Dependency Risk	socket.dev, Semgrep	Behavioral risk analysis
CI/CD Review	custom scripts, actionlint	Pipeline security audit
SBOM	syft, cyclonedx-cli	Bill of materials generation

References

references/tools.md - Tool function signatures and parameters
references/workflows.md - Attack pattern definitions and test vectors

同仓库更多 Skills

同仓库

skill-creator

jd-opensource/JoySafeter

Guide for creating effective skills. This skill should be used when users want to create a new skill (or update an existing skill) that extends an agent's capabilities with specialized knowledge, workflows, or tool integrations.

2026-03-26284

openclaw-security-checker

jd-opensource/JoySafeter

OpenClaw 安全检测工具，基于安全实践指南验证配置安全、权限隔离、网络策略、日志审计和运行时完整性

2026-03-13284

openclaw-threat-detect

jd-opensource/JoySafeter

OpenClaw 攻击模式检测工具，识别数据外传、反弹Shell、文件泄露、Prompt注入、供应链投毒等高危行为，支持 MITRE ATT&CK 映射

2026-03-13284

skill-security-auditor

jd-opensource/JoySafeter

OpenClaw Skills 全方位安全审计工具，检测供应链投毒、Prompt注入、恶意代码模式、权限越权和依赖风险

2026-03-13284

planning-with-files

jd-opensource/JoySafeter

Implements Manus-style file-based planning for complex tasks. Creates task_plan.md, findings.md, and progress.md. Use when starting complex multi-step tasks, research projects, or any task requiring >5 tool calls. Now with automatic session recovery after /clear.

2026-02-13284

pentest-ai-llm-security

jd-opensource/JoySafeter

AI/LLM application security testing — prompt injection, jailbreaking, data exfiltration, and insecure output handling per OWASP LLM Top 10.

2026-02-11284

name	pentest-supply-chain
description	Software supply chain security — dependency confusion, CI/CD pipeline attacks, lockfile integrity, and build artifact verification.

Pentest Supply Chain

Purpose

Prerequisites

Authorization Requirements

Written authorization with supply chain testing scope
Repository access for dependency and CI/CD analysis
Registry awareness — confirm which private registries are in use
Build system access for pipeline review (if white-box)

Environment Setup

Snyk CLI for dependency vulnerability scanning
npm audit / pip-audit for ecosystem-specific checks
Trivy for container and filesystem scanning
socket.dev for dependency risk analysis

Core Workflow

Dependency Audit: Analyze package.json/requirements.txt/go.mod for known vulnerable versions, unmaintained packages, suspicious dependencies.
Dependency Confusion: Check if internal package names can be claimed on public registries (npm, PyPI). Test namespace squatting.
CI/CD Pipeline Security: Review GitHub Actions/GitLab CI for injection via PR titles/branch names, secrets in logs, unpinned action versions, runner escape.
Build Artifact Integrity: Verify signatures on containers/packages, check for unsigned artifacts, test image tag mutability.
Lockfile Integrity: Detect lockfile injection (manipulated resolved URLs), verify lockfile-to-manifest consistency.
Install Script Abuse: Identify packages with install hooks executing arbitrary code, test typosquatting candidates.
SBOM Generation: Generate Software Bill of Materials and map transitive dependency risk with CVE correlation.

Tool Categories

Category	Tools	Purpose
Dependency Scanning	Snyk, npm audit, pip-audit	Known CVE detection
Container Scanning	Trivy, Grype	Image vulnerability analysis
Dependency Risk	socket.dev, Semgrep	Behavioral risk analysis
CI/CD Review	custom scripts, actionlint	Pipeline security audit
SBOM	syft, cyclonedx-cli	Bill of materials generation

References

references/tools.md - Tool function signatures and parameters
references/workflows.md - Attack pattern definitions and test vectors