一键在 Manus 中运行任何 Skill

$pwd:

security-review

Name: Security Review
Author: weDevsOfficial

// Scan PHP + React changes in WP Project Manager for the security issues common to WordPress plugins: nonce/permission bypass, unsanitized input flowing to wp_send_json or echo, SQL injection in raw $wpdb queries, XSS via dangerouslySetInnerHTML, SVG upload bypass, missing capability checks on AJAX/REST routes, leaked secrets in JS bundle, broken CSRF protection. TRIGGER when the user says 'security review', 'audit for vulns', 'scan the diff', invokes /security-review, or asks 'is this safe'. Also trigger automatically when reviewing any change that touches routes/, core/Permissions/, db/, or files that handle uploads.

在 Manus 中运行

$ git log --oneline --stat

stars:223

forks:119

updated:2026年5月13日 11:44

SKILL.md

readonly

name

security-review

description

Scan PHP + React changes in WP Project Manager for the security issues common to WordPress plugins: nonce/permission bypass, unsanitized input flowing to wp_send_json or echo, SQL injection in raw $wpdb queries, XSS via dangerouslySetInnerHTML, SVG upload bypass, missing capability checks on AJAX/REST routes, leaked secrets in JS bundle, broken CSRF protection. TRIGGER when the user says 'security review', 'audit for vulns', 'scan the diff', invokes /security-review, or asks 'is this safe'. Also trigger automatically when reviewing any change that touches routes/, core/Permissions/, db/, or files that handle uploads.

WP Project Manager Security Review

Scope

PHP backend, React frontend, and the bridge between them. Stack-specific threat model — WordPress plugin distributed via wp.org SVN. Untrusted input = anything from $_REQUEST, WP_REST_Request, browser, or third-party APIs (GitHub/Loom/Notion previews).

Workflow

Determine diff scope.
- If a PR is named, gh pr diff <N>.
- Else git --no-pager diff HEAD.
- List changed files; for any in the high-risk paths below, read the FULL file (not just hunks).
High-risk paths (always read in full when changed):
- routes/*.php — endpoint surface
- core/Permissions/*.php — authz
- db/Create_Table.php, db/migrations/* — schema
- src/*/Controllers/*.php — request handling
- bootstrap/loaders.php — SVG sanitization, plugin boot
- views/assets/src/hooks/useApi.js — auth wiring
- views/assets/src/index.jsx — window.PM exposure
- Anything mentioning wp_send_json, dangerouslySetInnerHTML, $wpdb->query, eval, unserialize, file_get_contents, wp_remote_*
Check each issue. For every finding: file:line — [SEVERITY] threat — remediation.

Authz / permission

Every route in routes/*.php chains ->permission([...]) with a class from core/Permissions/.
For mutation routes (POST/PUT/DELETE): the permission must check the resource owner / project membership (Access_Project, Edit_Task, etc.), not just Authentic.
New permission classes return strict bool from can().
No current_user_can inlined in controllers as the only gate (it bypasses the router's chain and is easy to miss).
is_admin request param is a hint, NOT a trust boundary — never make decisions based solely on it.

Input sanitization

All $request->get_param(...) results sanitized before SQL/output:
- sanitize_text_field for plain text
- intval / absint for IDs and integers
- wp_kses_post for rich text (comments, task descriptions)
- esc_url_raw for URLs
- sanitize_email for emails
wp_unslash before sanitizing $_POST / $_REQUEST.
Arrays sanitized recursively — array_map('intval', $ids), not a bare assignment.

SQL injection

Eloquent: bindings cover it. Flag raw concatenation into whereRaw.
$wpdb->query / $wpdb->get_var / $wpdb->get_results: MUST use $wpdb->prepare with placeholders for any variable.
Migration ALTER statements may be raw — verify the schema string is a literal, not interpolated user data.

XSS

Backend: PHP-rendered templates (views/emails/, views/project-switch/) must escape every echo: esc_html, esc_attr, esc_url, wp_kses_post.
Frontend:
- dangerouslySetInnerHTML ONLY when wrapped in sanitizeHtml from @lib/sanitize (DOMPurify-based).
- Pusher notification handler (index.jsx) strips inline style="…" and sanitizes — match that pattern.
- No eval, no new Function, no document.write.

CSRF / nonce

Frontend: useApi.js injects X-WP-Nonce: PM_Vars.permission. Custom fetch callers must also include it.
Backend: nonce verified by the router. If a new code path bypasses the router (e.g., add_action('wp_ajax_*')), it MUST verify nonce explicitly.

File uploads / SVG

SVG sanitization wired via bootstrap/loaders.php :: wedevs_pm_clean_svg(). Any new upload path must funnel through wp_check_filetype_and_ext or call the sanitizer directly.
File path handling: never concatenate user input into a filesystem path; use wp_unique_filename, wp_check_filetype, path_join with WP_CONTENT_DIR.

Secrets in client

The React bundle is public. Anything in PM_Vars is public.
Flag any API keys / tokens that look like they're being injected into PM_Vars. AI/integration tokens (OpenAI, GitHub, Notion, Loom) must stay server-side and be referenced by ID, not value.

Third-party preview APIs

src/GitHub/, src/Loom/, src/Notion/, src/Trello/ make outbound calls.
Always wp_remote_get/wp_remote_post with sslverify => true, sane timeout.
Validate the response shape before rendering — never pipe a third-party URL into <a href> or <img src> without esc_url/sanitize_url.

Window.PM exposure

window.PM is intentionally public — Pro needs it. But avoid exposing:
- Direct DB connection refs
- Internal helpers that mutate state without the same authz as the API path
- Anything that lets callers bypass useApi.js's nonce/is_admin injection

Mass assignment / overposting

Eloquent $fillable lists must not include privileged fields (is_admin, capability flags, internal status fields).
update($request->all()) is a smell — always update($validated_fields_only).

Output of error details

Don't return stack traces / Eloquent error messages to clients. Wrap in WP_Error with a generic message; log details server-side.

Open redirects

Any wp_safe_redirect target derived from $_REQUEST must be validated against wp_validate_redirect.

Severity guide

CRITICAL — authz bypass, unauthed RCE/SQLi/XSS, secret leak in bundle.
HIGH — XSS requiring auth, CSRF on mutation, missing nonce, mass assignment.
MEDIUM — missing sanitization without confirmed sink, weak validation, missing rate limit.
LOW — defense-in-depth, hardening suggestions, missing helmet-equivalent headers.

Output format

## Security review of <branch | PR #N>

### Critical
- file:line — [CRITICAL] ... — fix: ...

### High
- file:line — [HIGH] ... — fix: ...

### Medium / Low
- ...

### Clean areas
- ...

Gotchas specific to this codebase

PM_Vars.permission (not .nonce) is the nonce. Don't "fix" it.
is_admin is a request param, NOT a permission boundary.
The custom router is in core/Router/ — WP REST API security advice doesn't always map cleanly. The router enforces nonce; new code that bypasses it loses that protection.
compatibility-checker.php is legacy admin-notice code; don't add new public surface there.

related-skills.json

同仓库

wepm-release.md

from "weDevsOfficial/wp-project-manager"

Release a new version of wedevs-project-manager (Project Manager free) to wp.org via GitHub Actions (`.github/workflows/deploy-org.yml`). Tag push triggers the deploy workflow — no Appsero. Trigger when user says "release wepm", "release project manager", "ship pm X.Y.Z", "publish wedevs project manager", "/wepm-release".

2026-05-13223

db-migration.md

from "weDevsOfficial/wp-project-manager"

Add a new append-only database migration for WP Project Manager. Updates db/migrations/, db/Create_Table.php, the Eloquent model fillable/casts, and the Fractal transformer. TRIGGER when the user says 'add a column', 'new table', 'schema change', 'migration', 'alter wp_pm_*', invokes /db-migration, or describes a feature that requires a DB change.

2026-05-13223

free-pro-contract-check.md

from "weDevsOfficial/wp-project-manager"

Verify a change to the Free plugin does not break the window.PM contract that Pro depends on. Diffs window.PM exports, slot/filter/route registrations, externalized libs, and the shape of Free thunks/actions Pro consumes. TRIGGER when the diff touches views/assets/src/index.jsx, views/assets/src/hooks/useSlot.js, store/index.js, router/routeRegistry.js, or any file under @components/common that is re-exported via window.PM. Also TRIGGER when the user mentions Pro, asks 'will this break Pro', or invokes /free-pro-contract-check.

2026-05-13223

release-checklist.md

from "weDevsOfficial/wp-project-manager"

Pre-flight checklist before tagging a WP Project Manager release. Verifies version bumps, build, lint, POT regeneration, dist contents, changelog, readme stable tag, and Pro/Free compatibility. TRIGGER when the user says 'release', 'cut a release', 'ship it', 'prepare release', invokes /release-checklist, or mentions bumping the plugin version. Do NOT trigger for development builds.

2026-05-13223

package.json

"author": "weDevsOfficial"

"repository": "weDevsOfficial/wp-project-manager"

打开 GitHub 仓库查看创作者相关仓库

$ install --global

$ download --local

在 Manus 中运行

$ useful --forSOC

信息安全分析师计算机与数学类职业15-1212L4

name

security-review

description

WP Project Manager Security Review

Scope

Workflow

Determine diff scope.
- If a PR is named, gh pr diff <N>.
- Else git --no-pager diff HEAD.
- List changed files; for any in the high-risk paths below, read the FULL file (not just hunks).
High-risk paths (always read in full when changed):
- routes/*.php — endpoint surface
- core/Permissions/*.php — authz
- db/Create_Table.php, db/migrations/* — schema
- src/*/Controllers/*.php — request handling
- bootstrap/loaders.php — SVG sanitization, plugin boot
- views/assets/src/hooks/useApi.js — auth wiring
- views/assets/src/index.jsx — window.PM exposure
- Anything mentioning wp_send_json, dangerouslySetInnerHTML, $wpdb->query, eval, unserialize, file_get_contents, wp_remote_*
Check each issue. For every finding: file:line — [SEVERITY] threat — remediation.

Authz / permission

Every route in routes/*.php chains ->permission([...]) with a class from core/Permissions/.
For mutation routes (POST/PUT/DELETE): the permission must check the resource owner / project membership (Access_Project, Edit_Task, etc.), not just Authentic.
New permission classes return strict bool from can().
No current_user_can inlined in controllers as the only gate (it bypasses the router's chain and is easy to miss).
is_admin request param is a hint, NOT a trust boundary — never make decisions based solely on it.

Input sanitization

All $request->get_param(...) results sanitized before SQL/output:
- sanitize_text_field for plain text
- intval / absint for IDs and integers
- wp_kses_post for rich text (comments, task descriptions)
- esc_url_raw for URLs
- sanitize_email for emails
wp_unslash before sanitizing $_POST / $_REQUEST.
Arrays sanitized recursively — array_map('intval', $ids), not a bare assignment.

SQL injection

Eloquent: bindings cover it. Flag raw concatenation into whereRaw.
$wpdb->query / $wpdb->get_var / $wpdb->get_results: MUST use $wpdb->prepare with placeholders for any variable.
Migration ALTER statements may be raw — verify the schema string is a literal, not interpolated user data.

XSS

Backend: PHP-rendered templates (views/emails/, views/project-switch/) must escape every echo: esc_html, esc_attr, esc_url, wp_kses_post.
Frontend:
- dangerouslySetInnerHTML ONLY when wrapped in sanitizeHtml from @lib/sanitize (DOMPurify-based).
- Pusher notification handler (index.jsx) strips inline style="…" and sanitizes — match that pattern.
- No eval, no new Function, no document.write.

CSRF / nonce

Frontend: useApi.js injects X-WP-Nonce: PM_Vars.permission. Custom fetch callers must also include it.
Backend: nonce verified by the router. If a new code path bypasses the router (e.g., add_action('wp_ajax_*')), it MUST verify nonce explicitly.

File uploads / SVG

SVG sanitization wired via bootstrap/loaders.php :: wedevs_pm_clean_svg(). Any new upload path must funnel through wp_check_filetype_and_ext or call the sanitizer directly.
File path handling: never concatenate user input into a filesystem path; use wp_unique_filename, wp_check_filetype, path_join with WP_CONTENT_DIR.

Secrets in client

The React bundle is public. Anything in PM_Vars is public.
Flag any API keys / tokens that look like they're being injected into PM_Vars. AI/integration tokens (OpenAI, GitHub, Notion, Loom) must stay server-side and be referenced by ID, not value.

Third-party preview APIs

src/GitHub/, src/Loom/, src/Notion/, src/Trello/ make outbound calls.
Always wp_remote_get/wp_remote_post with sslverify => true, sane timeout.
Validate the response shape before rendering — never pipe a third-party URL into <a href> or <img src> without esc_url/sanitize_url.

Window.PM exposure

window.PM is intentionally public — Pro needs it. But avoid exposing:
- Direct DB connection refs
- Internal helpers that mutate state without the same authz as the API path
- Anything that lets callers bypass useApi.js's nonce/is_admin injection

Mass assignment / overposting

Eloquent $fillable lists must not include privileged fields (is_admin, capability flags, internal status fields).
update($request->all()) is a smell — always update($validated_fields_only).

Output of error details

Don't return stack traces / Eloquent error messages to clients. Wrap in WP_Error with a generic message; log details server-side.

Open redirects

Any wp_safe_redirect target derived from $_REQUEST must be validated against wp_validate_redirect.

Severity guide

CRITICAL — authz bypass, unauthed RCE/SQLi/XSS, secret leak in bundle.
HIGH — XSS requiring auth, CSRF on mutation, missing nonce, mass assignment.
MEDIUM — missing sanitization without confirmed sink, weak validation, missing rate limit.
LOW — defense-in-depth, hardening suggestions, missing helmet-equivalent headers.

Output format

## Security review of <branch | PR #N>

### Critical
- file:line — [CRITICAL] ... — fix: ...

### High
- file:line — [HIGH] ... — fix: ...

### Medium / Low
- ...

### Clean areas
- ...

Gotchas specific to this codebase

PM_Vars.permission (not .nonce) is the nonce. Don't "fix" it.
is_admin is a request param, NOT a permission boundary.
The custom router is in core/Router/ — WP REST API security advice doesn't always map cleanly. The router enforces nonce; new code that bypasses it loses that protection.
compatibility-checker.php is legacy admin-notice code; don't add new public surface there.

security-review

WP Project Manager Security Review

Scope

Workflow

Authz / permission

Input sanitization

SQL injection

XSS

CSRF / nonce

File uploads / SVG

Secrets in client

Third-party preview APIs

Window.PM exposure

Mass assignment / overposting

Output of error details

Open redirects

Severity guide

Output format

Gotchas specific to this codebase

同仓库更多 Skills

同仓库更多 Skills

WP Project Manager Security Review

Scope

Workflow

Authz / permission

Input sanitization

SQL injection

XSS

CSRF / nonce

File uploads / SVG

Secrets in client

Third-party preview APIs

Window.PM exposure

Mass assignment / overposting

Output of error details

Open redirects

Severity guide

Output format

Gotchas specific to this codebase