一键在 Manus 中运行任何 Skill

$pwd:

ghost-scan-code

Name: Ghost Scan Code
Author: ghostsecurity

// Ghost Security - SAST code scanner. Finds security vulnerabilities in source code by planning and executing targeted scans for issues like SQL injection, XSS, BOLA, BFLA, SSRF, and other OWASP categories. Supports applications (backend, frontend, mobile) and libraries (prototype pollution, unsafe deserialization, ReDoS, path traversal, zip slip). Use when the user asks for a code security audit, SAST scan, vulnerability scan of source code, or wants to find security flaws in a codebase or library.

在 Manus 中运行

$ git log --oneline --stat

stars:382

forks:26

updated:2026年3月11日 12:01

文件资源管理器

12 个文件

SKILL.md

readonly

name	ghost-scan-code
description	Ghost Security - SAST code scanner. Finds security vulnerabilities in source code by planning and executing targeted scans for issues like SQL injection, XSS, BOLA, BFLA, SSRF, and other OWASP categories. Supports applications (backend, frontend, mobile) and libraries (prototype pollution, unsafe deserialization, ReDoS, path traversal, zip slip). Use when the user asks for a code security audit, SAST scan, vulnerability scan of source code, or wants to find security flaws in a codebase or library.
allowed-tools	Read, Write, Edit, Glob, Grep, Bash
argument-hint	[depth=quick]
license	apache-2.0
metadata	{"version":"1.1.1"}

Find Issues

You find security issues in a repository. This skill plans which vulnerability vectors to scan, then executes those scans against each project.

Inputs

depth: quick (default), balanced, or full — override via $ARGUMENTS

$ARGUMENTS

Note: Arguments passed can be used to customize the scan workflow if provided. For example, if the user specifies a specific set of vectors, count of vectors, specific candidate files, areas to focus on, count of candidate files, etc., ensure the relevant details are passed to the relevant steps in the skill.

Supporting files

Loop script: scripts/loop.sh
Scan criteria: criteria/index.yaml

Step 1: Setup

Compute the repo-specific output directory:

repo_name=$(basename "$(pwd)") && remote_url=$(git remote get-url origin 2>/dev/null || pwd) && short_hash=$(printf '%s' "$remote_url" | git hash-object --stdin | cut -c1-8) && repo_id="${repo_name}-${short_hash}" && short_sha=$(git rev-parse --short HEAD 2>/dev/null || date +%Y%m%d) && ghost_repo_dir="$HOME/.ghost/repos/${repo_id}" && scan_dir="${ghost_repo_dir}/scans/${short_sha}/code" && cache_dir="${ghost_repo_dir}/cache" && mkdir -p "$scan_dir" && echo "scan_dir=$scan_dir cache_dir=$cache_dir"

Read $cache_dir/repo.md — if missing, run the repo-context skill first and then continue.
Read criteria/index.yaml to get the valid agent→vector mappings per project type
Set depth to quick if not provided
If depth is full, warn the user that a full scan uses significantly more tokens and ask them to confirm before proceeding. If they decline, fall back to balanced.

Step 2: Plan Scans

If $scan_dir/plan.md already exists, skip to the next step.

Otherwise, run the planner using scripts/loop.sh:

bash <path-to-loop.sh> $scan_dir planner.md "- depth: <depth>
- arguments: <relevant argument overrides if any, otherwise omit>" 1 $cache_dir

Use a 10-minute timeout. If the command times out, re-run it — the script resumes from where it left off. If it fails 3 times consecutively with the same error, stop and report the failure.

Verify: $scan_dir/plan.md exists and contains at least one ## Project: section before proceeding.

Step 3: Nominate Files

If $scan_dir/nominations.md does not exist, generate it by reading $scan_dir/plan.md and for each project section (## Project: <base_path> (<type>)), parse the Recommended Scans table. For each row, extract the Agent and Vector columns. Write $scan_dir/nominations.md - one line per (project, agent, vector) combination. Skip projects with empty scan tables.

# Nominations

- [ ] <base_path> (<type>) | <agent> | <vector>
- [ ] <base_path> (<type>) | <agent> | <vector>
...

If $scan_dir/nominations.md already exists, change every top level task - [x] to - [ ]. Keep all indented lines/subtasks beneath each item unchanged.

Run nomination script

Using scripts/loop.sh:

bash <path-to-loop.sh> $scan_dir nominator.md "- depth: <depth>
- arguments: <relevant argument overrides if any, otherwise omit>" 5 $cache_dir

Use a 10-minute timeout. If the command times out, re-run it — the script resumes from where it left off. If it fails 3 times consecutively with the same error, stop and report the failure.

Verify: $scan_dir/nominations.md contains at least one - [x] line before proceeding.

Step 4: Analyze Nominated Files

Read $scan_dir/nominations.md. For each candidate file under a checked - [x] line, append to $scan_dir/analyses.md (skip candidates already listed in analyses.md).

- [ ] <base_path> (<type>) | <agent> | <vector> | <candidate_file>

Create the findings directory:

mkdir -p $scan_dir/findings

Run analysis script

Using scripts/loop.sh:

bash <path-to-loop.sh> $scan_dir analyzer.md "" 5 $cache_dir

Use a 10-minute timeout. If the command times out, re-run it — the script resumes from where it left off. If it fails 3 times consecutively with the same error, stop and report the failure.

Verify: $scan_dir/analyses.md contains at least one - [x] line before proceeding.

Step 5: Verify Findings

List all .md files in $scan_dir/findings/. If none exist, write a no-findings.md summary and stop.

Using scripts/loop.sh:

bash <path-to-loop.sh> $scan_dir verifier.md "" 5 $cache_dir

Use a 10-minute timeout. If the command times out, re-run it — the script resumes from where it left off. If it fails 3 times consecutively with the same error, stop and report the failure.

Completion

After all steps complete, report the scan results:

List all finding files in $scan_dir/findings/
Count verified vs rejected findings
Present a summary to the user

related-skills.json

同仓库

ghost-repo-context.md

from "ghostsecurity/skills"

Scans directory structure, detects projects, maps dependencies, and documents code organization into a repo.md file. Use when the user needs a codebase overview, project structure map, or repository context before security analysis.

2026-02-25382

ghost-proxy.md

from "ghostsecurity/skills"

Starts and controls the reaper MITM proxy to capture, inspect, search, and replay HTTP/HTTPS traffic between clients and servers. Capabilities include starting/stopping the proxy scoped to specific domains, viewing captured request/response logs, searching traffic by method/path/status/host, and inspecting full raw HTTP entries for security analysis. Use when the user asks to "start the proxy", "capture traffic", "intercept requests", "inspect HTTP traffic", "search captured requests", or "view request/response".

2026-02-17382

ghost-report.md

from "ghostsecurity/skills"

Ghost Security — combined security report. Aggregates findings from all scan skills (scan-deps, scan-secrets, scan-code) into a single prioritized report focused on the highest risk, highest confidence issues. Use when the user requests a security overview, vulnerability summary, full security audit, or combined scan results.

2026-02-17382

ghost-scan-deps.md

from "ghostsecurity/skills"

Ghost Security - Software Composition Analysis (SCA) scanner. Scans dependency lockfiles for known vulnerabilities, identifies CVEs, and generates findings with severity levels and remediation guidance. Use when the user asks about dependency vulnerabilities, vulnerable packages, CVE checks, security audits of dependencies, or wants to scan lockfiles like package-lock.json, yarn.lock, go.sum, or Gemfile.lock.

2026-02-17382

ghost-scan-secrets.md

from "ghostsecurity/skills"

Ghost Security - Secrets and credentials scanner. Scans codebase for leaked API keys, tokens, passwords, and sensitive data. Detects hardcoded secrets and generates findings with severity and remediation guidance. Use when the user asks to check for leaked secrets, scan for credentials, find hardcoded API keys or passwords, detect exposed .env values, or audit code for sensitive data exposure.

2026-02-17382

ghost-validate.md

from "ghostsecurity/skills"

This skill should be used when the user asks to "validate a finding", "check if a vulnerability is real", "triage a security finding", "confirm a vulnerability", "determine if a finding is a true positive or false positive", or provides a security finding for review. It validates security vulnerability findings by tracing data flows, verifying exploit conditions, analyzing security controls, and optionally testing attack vectors against a live application.

2026-02-17382

package.json

"author": "ghostsecurity"

"repository": "ghostsecurity/skills"

打开 GitHub 仓库查看创作者相关仓库

$ install --global

$ download --local

在 Manus 中运行

$ useful --forSOC

信息安全分析师计算机与数学类职业15-1212L4

name	ghost-scan-code
description	Ghost Security - SAST code scanner. Finds security vulnerabilities in source code by planning and executing targeted scans for issues like SQL injection, XSS, BOLA, BFLA, SSRF, and other OWASP categories. Supports applications (backend, frontend, mobile) and libraries (prototype pollution, unsafe deserialization, ReDoS, path traversal, zip slip). Use when the user asks for a code security audit, SAST scan, vulnerability scan of source code, or wants to find security flaws in a codebase or library.
allowed-tools	Read, Write, Edit, Glob, Grep, Bash
argument-hint	[depth=quick]
license	apache-2.0
metadata	{"version":"1.1.1"}

Find Issues

You find security issues in a repository. This skill plans which vulnerability vectors to scan, then executes those scans against each project.

Inputs

depth: quick (default), balanced, or full — override via $ARGUMENTS

$ARGUMENTS

Note: Arguments passed can be used to customize the scan workflow if provided. For example, if the user specifies a specific set of vectors, count of vectors, specific candidate files, areas to focus on, count of candidate files, etc., ensure the relevant details are passed to the relevant steps in the skill.

Supporting files

Loop script: scripts/loop.sh
Scan criteria: criteria/index.yaml

Step 1: Setup

Compute the repo-specific output directory:

repo_name=$(basename "$(pwd)") && remote_url=$(git remote get-url origin 2>/dev/null || pwd) && short_hash=$(printf '%s' "$remote_url" | git hash-object --stdin | cut -c1-8) && repo_id="${repo_name}-${short_hash}" && short_sha=$(git rev-parse --short HEAD 2>/dev/null || date +%Y%m%d) && ghost_repo_dir="$HOME/.ghost/repos/${repo_id}" && scan_dir="${ghost_repo_dir}/scans/${short_sha}/code" && cache_dir="${ghost_repo_dir}/cache" && mkdir -p "$scan_dir" && echo "scan_dir=$scan_dir cache_dir=$cache_dir"

Read $cache_dir/repo.md — if missing, run the repo-context skill first and then continue.
Read criteria/index.yaml to get the valid agent→vector mappings per project type
Set depth to quick if not provided
If depth is full, warn the user that a full scan uses significantly more tokens and ask them to confirm before proceeding. If they decline, fall back to balanced.

Step 2: Plan Scans

If $scan_dir/plan.md already exists, skip to the next step.

Otherwise, run the planner using scripts/loop.sh:

bash <path-to-loop.sh> $scan_dir planner.md "- depth: <depth>
- arguments: <relevant argument overrides if any, otherwise omit>" 1 $cache_dir

Use a 10-minute timeout. If the command times out, re-run it — the script resumes from where it left off. If it fails 3 times consecutively with the same error, stop and report the failure.

Verify: $scan_dir/plan.md exists and contains at least one ## Project: section before proceeding.

Step 3: Nominate Files

# Nominations

- [ ] <base_path> (<type>) | <agent> | <vector>
- [ ] <base_path> (<type>) | <agent> | <vector>
...

If $scan_dir/nominations.md already exists, change every top level task - [x] to - [ ]. Keep all indented lines/subtasks beneath each item unchanged.

Run nomination script

Using scripts/loop.sh:

bash <path-to-loop.sh> $scan_dir nominator.md "- depth: <depth>
- arguments: <relevant argument overrides if any, otherwise omit>" 5 $cache_dir

Use a 10-minute timeout. If the command times out, re-run it — the script resumes from where it left off. If it fails 3 times consecutively with the same error, stop and report the failure.

Verify: $scan_dir/nominations.md contains at least one - [x] line before proceeding.

Step 4: Analyze Nominated Files

Read $scan_dir/nominations.md. For each candidate file under a checked - [x] line, append to $scan_dir/analyses.md (skip candidates already listed in analyses.md).

- [ ] <base_path> (<type>) | <agent> | <vector> | <candidate_file>

Create the findings directory:

mkdir -p $scan_dir/findings

Run analysis script

Using scripts/loop.sh:

bash <path-to-loop.sh> $scan_dir analyzer.md "" 5 $cache_dir

Use a 10-minute timeout. If the command times out, re-run it — the script resumes from where it left off. If it fails 3 times consecutively with the same error, stop and report the failure.

Verify: $scan_dir/analyses.md contains at least one - [x] line before proceeding.

Step 5: Verify Findings

List all .md files in $scan_dir/findings/. If none exist, write a no-findings.md summary and stop.

Using scripts/loop.sh:

bash <path-to-loop.sh> $scan_dir verifier.md "" 5 $cache_dir

Use a 10-minute timeout. If the command times out, re-run it — the script resumes from where it left off. If it fails 3 times consecutively with the same error, stop and report the failure.

Completion

After all steps complete, report the scan results:

List all finding files in $scan_dir/findings/
Count verified vs rejected findings
Present a summary to the user

ghost-scan-code

Find Issues

Inputs

Supporting files

Step 1: Setup

Step 2: Plan Scans

Step 3: Nominate Files

Run nomination script

Step 4: Analyze Nominated Files

Run analysis script

Step 5: Verify Findings

Completion

同仓库更多 Skills

同仓库更多 Skills

Find Issues

Inputs

Supporting files

Step 1: Setup

Step 2: Plan Scans

Step 3: Nominate Files

Run nomination script

Step 4: Analyze Nominated Files

Run analysis script

Step 5: Verify Findings

Completion