Feature/domain skill/netsparkercloud invicti api skill#490
Feature/domain skill/netsparkercloud invicti api skill#490marcellodesales wants to merge 2 commits into
Conversation
⛔ Skill review blockedAn automated security review found 1 finding(s) across 1 file(s).
Skill authorship is restricted to maintainers. Please do not attempt to self-fix — a maintainer will review and follow up. |
There was a problem hiding this comment.
3 issues found across 4 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="agent-workspace/agent_helpers.py">
<violation number="1" location="agent-workspace/agent_helpers.py:37">
P2: The early return in `_invicti_maybe_load_env()` skips loading `INVICTI_BASE_URL` from `.env` files whenever `INVICTI_USER_ID` and `INVICTI_TOKEN` are already present in the environment. Because the inner loop only calls `os.environ.setdefault`, it is already safe to run without the early return—it will never overwrite existing environment variables. Removing this guard allows users to supply credentials via shell/CI while still picking up `INVICTI_BASE_URL` from a scoped `.env` file, avoiding silent fallback to the hardcoded cloud host.</violation>
<violation number="2" location="agent-workspace/agent_helpers.py:193">
P2: `invicti_paged_list` silently swallows unexpected response shapes by returning an empty `items` list and a minimal `meta` dict. If the API changes its wrapper schema or a caller passes a non-list endpoint, downstream consumers (`invicti_website_search`, `invicti_issues_sample`, etc.) receive empty results with no clear failure signal, making API regressions hard to detect. Consider raising a descriptive error when the response does not match the expected list shapes so callers fail fast instead of proceeding with misleading empty data.</violation>
</file>
<file name="domain-skills/invicti/invicti-api-verification.md">
<violation number="1" location="domain-skills/invicti/invicti-api-verification.md:14">
P1: The instructions for collecting datasets use many `/api/1.0/.../list` endpoints, but they omit pagination guidance. Invicti list endpoints paginate with `page` and `pageSize` query parameters (default `pageSize: 20`, max `200`). Responses include pagination metadata such as `HasNextPage` and `List`. Without iterating through pages, consumers will fetch only the first page and produce incomplete summaries, which also corrupts the downstream joins and correlations described in this doc. Consider adding a note about pagination parameters and how to iterate through result pages before summarizing and correlating data.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Fix all with cubic | Re-trigger cubic
|
|
||
| ## Humans | ||
| - Current user: `GET /api/1.0/account/me` | ||
| - Teams: `GET /api/1.0/team/list` |
There was a problem hiding this comment.
P1: The instructions for collecting datasets use many /api/1.0/.../list endpoints, but they omit pagination guidance. Invicti list endpoints paginate with page and pageSize query parameters (default pageSize: 20, max 200). Responses include pagination metadata such as HasNextPage and List. Without iterating through pages, consumers will fetch only the first page and produce incomplete summaries, which also corrupts the downstream joins and correlations described in this doc. Consider adding a note about pagination parameters and how to iterate through result pages before summarizing and correlating data.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At domain-skills/invicti/invicti-api-verification.md, line 14:
<comment>The instructions for collecting datasets use many `/api/1.0/.../list` endpoints, but they omit pagination guidance. Invicti list endpoints paginate with `page` and `pageSize` query parameters (default `pageSize: 20`, max `200`). Responses include pagination metadata such as `HasNextPage` and `List`. Without iterating through pages, consumers will fetch only the first page and produce incomplete summaries, which also corrupts the downstream joins and correlations described in this doc. Consider adding a note about pagination parameters and how to iterate through result pages before summarizing and correlating data.</comment>
<file context>
@@ -0,0 +1,35 @@
+
+## Humans
+- Current user: `GET /api/1.0/account/me`
+- Teams: `GET /api/1.0/team/list`
+- Roles: `GET /api/1.0/roles/list`
+- Members: `GET /api/1.0/members/list`
</file context>
| meta = {"TotalItemCount": len(items), "nonPaged": True} | ||
| break | ||
|
|
||
| meta = {"shape": type(data).__name__} |
There was a problem hiding this comment.
P2: invicti_paged_list silently swallows unexpected response shapes by returning an empty items list and a minimal meta dict. If the API changes its wrapper schema or a caller passes a non-list endpoint, downstream consumers (invicti_website_search, invicti_issues_sample, etc.) receive empty results with no clear failure signal, making API regressions hard to detect. Consider raising a descriptive error when the response does not match the expected list shapes so callers fail fast instead of proceeding with misleading empty data.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At agent-workspace/agent_helpers.py, line 193:
<comment>`invicti_paged_list` silently swallows unexpected response shapes by returning an empty `items` list and a minimal `meta` dict. If the API changes its wrapper schema or a caller passes a non-list endpoint, downstream consumers (`invicti_website_search`, `invicti_issues_sample`, etc.) receive empty results with no clear failure signal, making API regressions hard to detect. Consider raising a descriptive error when the response does not match the expected list shapes so callers fail fast instead of proceeding with misleading empty data.</comment>
<file context>
@@ -5,3 +5,359 @@
+ meta = {"TotalItemCount": len(items), "nonPaged": True}
+ break
+
+ meta = {"shape": type(data).__name__}
+ break
+
</file context>
| This additionally supports a domain-scoped env file at domain-skills/invicti/.env. | ||
| """ | ||
|
|
||
| if os.environ.get("INVICTI_USER_ID") and os.environ.get("INVICTI_TOKEN"): |
There was a problem hiding this comment.
P2: The early return in _invicti_maybe_load_env() skips loading INVICTI_BASE_URL from .env files whenever INVICTI_USER_ID and INVICTI_TOKEN are already present in the environment. Because the inner loop only calls os.environ.setdefault, it is already safe to run without the early return—it will never overwrite existing environment variables. Removing this guard allows users to supply credentials via shell/CI while still picking up INVICTI_BASE_URL from a scoped .env file, avoiding silent fallback to the hardcoded cloud host.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At agent-workspace/agent_helpers.py, line 37:
<comment>The early return in `_invicti_maybe_load_env()` skips loading `INVICTI_BASE_URL` from `.env` files whenever `INVICTI_USER_ID` and `INVICTI_TOKEN` are already present in the environment. Because the inner loop only calls `os.environ.setdefault`, it is already safe to run without the early return—it will never overwrite existing environment variables. Removing this guard allows users to supply credentials via shell/CI while still picking up `INVICTI_BASE_URL` from a scoped `.env` file, avoiding silent fallback to the hardcoded cloud host.</comment>
<file context>
@@ -5,3 +5,359 @@
+ This additionally supports a domain-scoped env file at domain-skills/invicti/.env.
+ """
+
+ if os.environ.get("INVICTI_USER_ID") and os.environ.get("INVICTI_TOKEN"):
+ return
+
</file context>
🎉 New Domain SKill
Summary by cubic
Adds a new Invicti (Netsparker Cloud) domain skill with read-focused API helpers to query websites, scheduled scans, and issues. Includes docs and a verification guide for safe Swagger-driven exploration.
New Features
agent-workspace/agent_helpers.pyfor auth, paging, website resolution, scheduled scans, and issues (counts and samples).domain-skills/invicti/invicit-api/SKILL.mdwith auth setup, common workflows, and endpoint references.invicti-api-verification.mdand a reference screenshot for read-only validation.Migration
INVICTI_USER_IDandINVICTI_TOKEN(optionalINVICTI_BASE_URL)..envsupported at repo root,agent-workspace/.env, ordomain-skills/invicti/.env.invicti_get,invicti_paged_list,invicti_schedules_for_website, andinvicti_issue_countsfor read-only queries.Written for commit 4e911a4. Summary will update on new commits.