一键导入
vulnerability-scanner
Advanced vulnerability analysis principles. OWASP 2025, Supply Chain Security, attack surface mapping, risk prioritization.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Advanced vulnerability analysis principles. OWASP 2025, Supply Chain Security, attack surface mapping, risk prioritization.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
How to author a DESIGN.md file — the machine-readable design-token + human-rationale format that must exist before any UI is built. YAML front-matter token schema (colors, typography, spacing, rounded, components), type system, token references, and canonical section order.
How to organize frontend code — separation of concerns (UI / logic / data / type), file responsibility, state tiers, API services, schema validation, and framework conventions for React/Next and Vue. Structural rules, not visual design.
Anti-slop frontend design for web UI — landing pages, portfolios, marketing/product sites, and redesigns. Reads the brief, infers the right direction, and ships interfaces that don't look templated. Real design systems when applicable, audit-first on redesigns, strict pre-flight check. NOT for mobile apps.
Automatic agent selection and intelligent task routing. Analyzes user requests and automatically selects the best specialist agent(s) without requiring explicit user mentions.
AI operational modes (brainstorm, implement, debug, review, teach, ship, orchestrate). Use to adapt behavior based on task type.
Socratic questioning protocol + user communication. MANDATORY for complex requests, new features, or unclear requirements. Includes progress reporting and error handling.
| name | vulnerability-scanner |
| description | Advanced vulnerability analysis principles. OWASP 2025, Supply Chain Security, attack surface mapping, risk prioritization. |
| when_to_use | When scanning for security vulnerabilities, checking OWASP 2025 compliance, or analyzing supply chain security. |
| allowed-tools | Read, Glob, Grep, Bash |
Think like an attacker, defend like an expert. 2025 threat landscape awareness.
Execute for automated validation:
| Script | Purpose | Usage |
|---|---|---|
scripts/security_scan.py | Validate security principles applied | python scripts/security_scan.py <project_path> |
| File | Purpose |
|---|---|
| checklists.md | OWASP Top 10, Auth, API, Data protection checklists |
| Principle | Application |
|---|---|
| Assume Breach | Design as if attacker already inside |
| Zero Trust | Never trust, always verify |
| Defense in Depth | Multiple layers, no single point |
| Least Privilege | Minimum required access only |
| Fail Secure | On error, deny access |
Before scanning, ask:
| Rank | Category | Think About |
|---|---|---|
| A01 | Broken Access Control | Who can access what? IDOR, SSRF |
| A02 | Security Misconfiguration | Defaults, headers, exposed services |
| A03 | Software Supply Chain 🆕 | Dependencies, CI/CD, build integrity |
| A04 | Cryptographic Failures | Weak crypto, exposed secrets |
| A05 | Injection | User input → system commands |
| A06 | Insecure Design | Flawed architecture |
| A07 | Authentication Failures | Session, credential management |
| A08 | Integrity Failures | Unsigned updates, tampered data |
| A09 | Logging & Alerting | Blind spots, no monitoring |
| A10 | Exceptional Conditions 🆕 | Error handling, fail-open states |
2021 → 2025 Shifts:
├── SSRF merged into A01 (Access Control)
├── A02 elevated (Cloud/Container configs)
├── A03 NEW: Supply Chain (major focus)
├── A10 NEW: Exceptional Conditions
└── Focus shift: Root causes > Symptoms
| Vector | Risk | Question to Ask |
|---|---|---|
| Dependencies | Malicious packages | Do we audit new deps? |
| Lock files | Integrity attacks | Are they committed? |
| Build pipeline | CI/CD compromise | Who can modify? |
| Registry | Typosquatting | Verified sources? |
| Category | Elements |
|---|---|
| Entry Points | APIs, forms, file uploads |
| Data Flows | Input → Process → Output |
| Trust Boundaries | Where auth/authz checked |
| Assets | Secrets, PII, business data |
Risk = Likelihood × Impact
High Impact + High Likelihood → CRITICAL
High Impact + Low Likelihood → HIGH
Low Impact + High Likelihood → MEDIUM
Low Impact + Low Likelihood → LOW
| Factor | Weight | Question |
|---|---|---|
| CVSS Score | Base severity | How severe is the vuln? |
| EPSS Score | Exploit likelihood | Is it being exploited? |
| Asset Value | Business context | What's at risk? |
| Exposure | Attack surface | Internet-facing? |
Is it actively exploited (EPSS >0.5)?
├── YES → CRITICAL: Immediate action
└── NO → Check CVSS
├── CVSS ≥9.0 → HIGH
├── CVSS 7.0-8.9 → Consider asset value
└── CVSS <7.0 → Schedule for later
| Scenario | Fail-Open (BAD) | Fail-Closed (GOOD) |
|---|---|---|
| Auth error | Allow access | Deny access |
| Parsing fails | Accept input | Reject input |
| Timeout | Retry forever | Limit + abort |
1. RECONNAISSANCE
└── Understand the target
├── Technology stack
├── Entry points
└── Data flows
2. DISCOVERY
└── Identify potential issues
├── Configuration review
├── Dependency analysis
└── Code pattern search
3. ANALYSIS
└── Validate and prioritize
├── False positive elimination
├── Risk scoring
└── Attack chain mapping
4. REPORTING
└── Actionable findings
├── Clear reproduction steps
├── Business impact
└── Remediation guidance
| Pattern | Risk | Look For |
|---|---|---|
| String concat in queries | Injection | "SELECT * FROM " + user_input |
| Dynamic code execution | RCE | eval(), exec(), Function() |
| Unsafe deserialization | RCE | pickle.loads(), unserialize() |
| Path manipulation | Traversal | User input in file paths |
| Disabled security | Various | verify=False, --insecure |
| Type | Indicators |
|---|---|
| API Keys | api_key, apikey, high entropy |
| Tokens | token, bearer, jwt |
| Credentials | password, secret, key |
| Cloud | AWS_, AZURE_, GCP_ prefixes |
| Layer | You Own | Provider Owns |
|---|---|---|
| Data | ✅ | ❌ |
| Application | ✅ | ❌ |
| OS/Runtime | Depends | Depends |
| Infrastructure | ❌ | ✅ |
| ❌ Don't | ✅ Do |
|---|---|
| Scan without understanding | Map attack surface first |
| Alert on every CVE | Prioritize by exploitability + asset |
| Ignore false positives | Maintain verified baseline |
| Fix symptoms only | Address root causes |
| Scan once before deploy | Continuous scanning |
| Trust third-party deps blindly | Verify integrity, audit code |
Each finding should answer:
| Severity | Criteria |
|---|---|
| Critical | RCE, auth bypass, mass data exposure |
| High | Data exposure, privilege escalation |
| Medium | Limited scope, requires conditions |
| Low | Informational, best practice |
Remember: Vulnerability scanning finds issues. Expert thinking prioritizes what matters. Always ask: "What would an attacker do with this?"