一键在 Manus 中运行任何 Skill

generating-executive-summary

Compose an exec-readable summary from a unified findings JSONL plus the OWASP coverage report. Computes a single engagement risk score (0-100, severity-weighted with OWASP-breadth and governance terms), rolls up findings into headline counts, names the top-3 remediation priorities with effort + impact estimates, and produces a 1-2 page markdown document for a C-level or board audience. Elides technical detail; the vulnerability report is the deep document. Use when: closing an engagement, preparing the exec-readout meeting, packaging for board review, or producing a one-page narrative for auditor / insurer / board. Threshold: input findings missing produces CRITICAL operational finding; otherwise the deliverable is the document itself. Trigger with: "generate exec summary", "executive summary", "C-level readout", "board pentest summary".

在 Manus 中运行

星标2,344

分支332

更新时间2026年6月8日 01:18

来源

jeremylongshore

jeremylongshore/claude-code-plugins-plus-skills

打开 GitHub 仓库查看创作者相关仓库

安装命令

下载

在 Manus 中运行

文件资源管理器

4 个文件

SKILL.md

readonly

同仓库更多 Skills

同仓库

auditing-npm-dependencies

jeremylongshore/claude-code-plugins-plus-skills

Audit a Node.js project's installed npm dependency tree for known CVEs by wrapping the npm audit JSON output and emitting findings in the canonical penetration-tester schema. Detects direct AND transitive vulnerabilities, normalizes npm's severity scale (info/low/moderate/ high/critical) to the shared Severity enum, and parses both v1 and v2 audit output formats so the skill works against npm 6 and npm 7+ lockfiles. Use when: pre-merge gate on a Node project, post-incident sweep after a transitive package compromise (e.g. event-stream, ua-parser, node-ipc, color.js), SOC2 vendor-management evidence collection, or auditing an inherited or acquired Node codebase. Threshold: any HIGH or CRITICAL CVE in the resolved dependency tree. MODERATE / LOW reported informationally. Trigger with: "audit npm deps", "npm vulnerability scan", "check node packages for CVEs", "npm audit".

2026-06-082.3k

auditing-python-dependencies

jeremylongshore/claude-code-plugins-plus-skills

Audit a Python project's installed dependencies for known CVEs by wrapping pip-audit (PyPA's official vulnerability auditor) and emitting findings in the canonical penetration-tester schema. Detects vulnerable direct AND transitive packages, normalizes pip-audit's severity output via OSV severity bands, falls back to pip list --outdated when pip-audit isn't installed, and supports requirements.txt, pyproject.toml (PEP 621), Pipfile.lock, and poetry.lock as input sources. Use when: pre-merge gate on a Python project, post-incident sweep after a PyPI compromise (e.g. ctx, request-toolbelt typosquats, ultralytics 8.3.42 compromise), SOC2 evidence collection, or inheriting an unfamiliar Python codebase. Threshold: any HIGH or CRITICAL CVE in the resolved dependency tree. MODERATE / LOW reported informationally. Trigger with: "audit python deps", "pip vulnerability scan", "check pypi packages for CVEs", "pip-audit run".

2026-06-082.3k

checking-license-compliance

jeremylongshore/claude-code-plugins-plus-skills

Audit a project's dependency licenses against an explicit policy (allow-list / deny-list / review-required) and flag incompatibilities before they ship to production. Reads SPDX license identifiers from npm package manifests, Python METADATA / PKG-INFO files, and pyproject.toml; classifies each license by family (permissive, weak-copyleft, strong-copyleft, proprietary, unknown); detects copyleft contamination and SPDX-incompatible license combinations. Use when: pre-release legal review, M&A code-audit due diligence, preparing an OSS attribution NOTICE file, or switching a project's own license. Threshold: any GPL-family license in a project declaring MIT or Apache-2.0; any UNKNOWN-license package; any metadata-vs-source license mismatch. Trigger with: "check licenses", "license compliance audit", "SPDX scan", "GPL contamination check".

2026-06-082.3k

composing-vulnerability-report

jeremylongshore/claude-code-plugins-plus-skills

Read findings JSONL files from cluster 1-4 skills, deduplicate by fingerprint, group by severity, and compose a deliverable- grade markdown vulnerability report with per-finding sections (title, severity, target, detail, remediation, evidence) and a top-level summary table. The canonical written artifact a customer receives at engagement close; precise, reproducible, machine- checkable against source findings. Use when: closing an engagement, generating an interim report, regenerating after CVE or OWASP enrichment, or producing the input for generating-executive-summary. Threshold: findings missing required fields are dropped. HIGH and CRITICAL findings highlighted in the summary section. Trigger with: "compose vuln report", "write pentest report", "generate vulnerability deliverable", "render findings to report".

2026-06-082.3k

confirming-pentest-authorization

jeremylongshore/claude-code-plugins-plus-skills

Verify that a penetration test has explicit, written, signed authorization before any scanning begins. Reads a Rules-of- Engagement (ROE) attestation file, validates required fields (authorizer, in-scope targets, time window, emergency contact, signature), checks the signer against an allowlist, and emits a CRITICAL finding if anything is missing. Designed as the first skill the orchestrator routes to. Use when: starting a new engagement, after a scope change, or before any cluster 1-4 scan skill runs. Threshold: any missing or unsigned ROE field; any time-window expiry; any in-scope target outside the authorized list. Trigger with: "confirm authorization", "verify ROE", "check pentest authz", "pre-flight authorization".

2026-06-082.3k

defining-pentest-scope

jeremylongshore/claude-code-plugins-plus-skills

Parse the ROE scope definition, enumerate every in-scope target (hostnames, IPs, CIDRs, URLs, cloud accounts, SaaS tenants), validate syntax, detect overlap with out-of-scope or known third-party SaaS ranges, and emit a normalized target list plus IP allowlist for scanning tools. Runs after confirming-pentest- authorization and before any cluster 1-4 scan. Use when: starting an engagement, expanding scope mid-engagement, validating that a target list matches the ROE, or generating an allowlist for an external scanner. Threshold: malformed syntax, in-scope overlap with out-of-scope, reserved or third-party SaaS ranges without acknowledgement. Trigger with: "define scope", "enumerate targets", "validate target list", "generate IP allowlist".

2026-06-082.3k

name	generating-executive-summary
description	Compose an exec-readable summary from a unified findings JSONL plus the OWASP coverage report. Computes a single engagement risk score (0-100, severity-weighted with OWASP-breadth and governance terms), rolls up findings into headline counts, names the top-3 remediation priorities with effort + impact estimates, and produces a 1-2 page markdown document for a C-level or board audience. Elides technical detail; the vulnerability report is the deep document. Use when: closing an engagement, preparing the exec-readout meeting, packaging for board review, or producing a one-page narrative for auditor / insurer / board. Threshold: input findings missing produces CRITICAL operational finding; otherwise the deliverable is the document itself. Trigger with: "generate exec summary", "executive summary", "C-level readout", "board pentest summary".
allowed-tools	["Read","Write","Bash(python3:*)","Glob"]
disallowed-tools	["Bash(rm:)","Bash(curl:)","Bash(wget:*)","Write(.env)","Edit(.env)"]
version	3.0.0-dev
author	Jeremy Longshore <jeremy@intentsolutions.io>
license	MIT
compatibility	Designed for Claude Code
tags	["security","reporting","executive-summary","risk-score","pentest"]

Generating Executive Summary

Overview

The vulnerability report is comprehensive — every finding, full detail, every reference. The C-level reader doesn't open it. They ask their security lead "what should I tell the board?" The security lead needs a one-page answer.

That one-page answer is the executive summary. It states the engagement's bottom line:

A single risk score (0-100)
Headline counts by severity
Top-3 remediation priorities, each with rough effort + impact
OWASP Top 10 coverage (where the work landed)
Engagement scope and authorization summary (what was tested, under what authority, in what window)
Next steps the customer's organization should take

The summary doesn't omit anything important; it just compresses. The vulnerability report remains the deep artifact for anyone who needs the technical detail.

This skill consumes the enriched findings JSONL (after OWASP mapping) + the OWASP coverage report + the ROE, computes the risk score, picks the top remediation priorities deterministically, and renders the document.

When the skill produces findings

Finding	Severity	Threshold	Affected control
Input findings file missing	CRITICAL	Source JSONL doesn't exist	(operational)
OWASP coverage report missing	HIGH	Coverage referenced but not present	(operational)
ROE missing	MEDIUM	Can still generate summary but lacks scope/authz context	(operational)
Exec summary written cleanly	INFO	Confirmation	(informational)
Risk score >75 (high engagement risk)	HIGH	Computed risk score elevated	(advisory)
Risk score >90 (critical engagement risk)	CRITICAL	Engagement exposed material risk; needs urgent action	(advisory)

Risk score (0-100) composition

The single risk score is the headline number on the exec summary. The composition is deterministic and documented:

risk = clamp(0, 100,
    20 * count(CRITICAL)
  + 10 * count(HIGH)
  +  3 * count(MEDIUM)
  +  1 * count(LOW)
  +  0 * count(INFO)
  +  5 * (count(distinct OWASP categories touched) - 5 if >5 else 0)
  - 10 * 1 if engagement was authorized cleanly and in-scope (governance bonus)
)

The first five terms weight by severity. The OWASP-coverage term adds 5 points per category beyond 5 (a broader-finding engagement implies broader risk surface). The governance bonus is a -10 adjustment when ROE was clean — explicit recognition that finding problems in a well-governed engagement is HEALTHIER than finding the same problems in a chaotic engagement.

Score interpretation:

Score	Reading
0-25	Low risk: clean engagement OR very narrow scope
26-50	Moderate risk: typical engagement with manageable findings
51-75	Elevated risk: significant findings, remediation planning required
76-90	High risk: material findings; executive attention warranted
91-100	Critical risk: urgent remediation required; consider treating as incident

Top-3 remediation priorities

The skill picks top-3 priorities deterministically by:

Severity (CRITICAL > HIGH > MEDIUM > LOW)
Reachability — findings affecting many targets weight higher
Tie-breaker: alphabetical by title for stable output

Each priority gets:

A one-line headline
Estimated effort (Hours / Days / Weeks)
Estimated impact (Limited / Significant / Material)
Pointer to the corresponding finding section in the vulnerability report

Effort + impact are heuristic estimates based on the source skill's category — operator can override via --priority-overrides for cases where the heuristic is wrong.

Prerequisites

Python 3.9+
Findings JSONL at engagement/findings/all-with-owasp.jsonl (output of mapping-findings-to-owasp-top10) OR an explicit --source FILE
OWASP coverage report at engagement/reports/owasp-coverage.md (referenced; optional)
ROE at engagement/roe.yaml (referenced for scope summary)

Instructions

Step 1 — Verify the inputs are present

ls engagements/acme-2026-q2/findings/all-with-owasp.jsonl
ls engagements/acme-2026-q2/reports/owasp-coverage.md
ls engagements/acme-2026-q2/roe.yaml

All three should exist for a complete summary. The skill works without the coverage report or ROE but the summary is less complete.

Step 2 — Generate the summary

python3 ./scripts/exec_summary.py engagements/acme-2026-q2/

Options:

Usage: exec_summary.py PATH [OPTIONS]

Options:
  --source FILE              Findings JSONL (default: PATH/findings/all-with-owasp.jsonl)
  --coverage FILE            OWASP coverage report (default: PATH/reports/owasp-coverage.md)
  --roe FILE                 ROE (default: PATH/roe.yaml)
  --summary-output FILE      Output path (default: PATH/reports/executive-summary.md)
  --output FILE              Operational findings output
  --format FMT               json | jsonl | markdown (default: markdown)
  --min-severity SEV         default info
  --priority-overrides FILE  YAML overriding the top-3 priorities

Step 3 — Review the risk score

If the score is in 76-100 range, the operator should sanity-check before delivering: did the underlying findings actually warrant the elevated reading, or did a few INFO-tagged findings get mis-categorized as HIGH?

Step 4 — Hand off

The exec summary is intended as a standalone artifact. Deliver to the customer's exec readout meeting, along with the full vulnerability report.

Examples

Example 1 — End-of-engagement summary

python3 ./scripts/exec_summary.py engagements/acme-2026-q2/

Example 2 — Board-ready summary (force-includes governance section)

python3 ./scripts/exec_summary.py engagements/acme-2026-q2/ \
    --summary-output engagements/acme-2026-q2/reports/board-summary.md

Example 3 — Override priorities

# priorities-override.yaml
- title: "Hardcoded AWS access key in source"
  effort: Hours
  impact: Material
  rationale: This is the single highest-priority remediation regardless of count.

python3 ./scripts/exec_summary.py engagements/acme-2026-q2/ \
    --priority-overrides priorities-override.yaml

Output

JSON / JSONL / Markdown per lib/report.py for operational findings. PRIMARY output: the executive-summary markdown document.

Operational Finding includes:

id — exec::<issue>
severity — varies
category — executive-summary
summary — what was generated
evidence — risk score, finding count, top priorities, output path

Error Handling

No findings source → CRITICAL operational finding, exits 1.
Source JSONL unparseable → HIGH, exits 1.
No findings at all → emits LOW operational finding noting the empty engagement; the document is generated but says so.
Coverage report missing → MEDIUM, document is generated without the coverage-narrative section.
ROE missing → MEDIUM, document is generated without the scope/authorization section.

Resources

references/THEORY.md — Executive-summary writing as a technical-communication discipline, single-number risk scoring tradeoffs, why deterministic priority selection beats human-curated for reproducibility, how the score interpretation bands were chosen, comparison with CVSS / DREAD / STRIDE risk models
references/PLAYBOOK.md — Per-audience customizations (board, C-suite, security leadership, customer auditor), summary length guidelines, common rewrite patterns, integration with the composing + mapping skills, post-delivery follow-up cadence