Skip to content

Feature/domain skill/netsparkercloud invicti api skill#490

Open
marcellodesales wants to merge 2 commits into
browser-use:mainfrom
marcellodesales:feature/domain-skill/netsparkercloud-invicti-api-skill
Open

Feature/domain skill/netsparkercloud invicti api skill#490
marcellodesales wants to merge 2 commits into
browser-use:mainfrom
marcellodesales:feature/domain-skill/netsparkercloud-invicti-api-skill

Conversation

@marcellodesales

@marcellodesales marcellodesales commented Jul 6, 2026

Copy link
Copy Markdown

🎉 New Domain SKill

  • How to collect Swagger APIs from the Invicti Netsparkercloud server

Summary by cubic

Adds a new Invicti (Netsparker Cloud) domain skill with read-focused API helpers to query websites, scheduled scans, and issues. Includes docs and a verification guide for safe Swagger-driven exploration.

  • New Features

    • Invicti helpers in agent-workspace/agent_helpers.py for auth, paging, website resolution, scheduled scans, and issues (counts and samples).
    • domain-skills/invicti/invicit-api/SKILL.md with auth setup, common workflows, and endpoint references.
    • invicti-api-verification.md and a reference screenshot for read-only validation.
  • Migration

    • Set INVICTI_USER_ID and INVICTI_TOKEN (optional INVICTI_BASE_URL). .env supported at repo root, agent-workspace/.env, or domain-skills/invicti/.env.
    • Use helpers like invicti_get, invicti_paged_list, invicti_schedules_for_website, and invicti_issue_counts for read-only queries.

Written for commit 4e911a4. Summary will update on new commits.

Review in cubic

@browser-harness-review

Copy link
Copy Markdown

⛔ Skill review blocked

An automated security review found 1 finding(s) across 1 file(s).

  • domain-skills/invicti/invicti-api-verification.pngexcessive_scope

Skill authorship is restricted to maintainers. Please do not attempt to self-fix — a maintainer will review and follow up.

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3 issues found across 4 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="agent-workspace/agent_helpers.py">

<violation number="1" location="agent-workspace/agent_helpers.py:37">
P2: The early return in `_invicti_maybe_load_env()` skips loading `INVICTI_BASE_URL` from `.env` files whenever `INVICTI_USER_ID` and `INVICTI_TOKEN` are already present in the environment. Because the inner loop only calls `os.environ.setdefault`, it is already safe to run without the early return—it will never overwrite existing environment variables. Removing this guard allows users to supply credentials via shell/CI while still picking up `INVICTI_BASE_URL` from a scoped `.env` file, avoiding silent fallback to the hardcoded cloud host.</violation>

<violation number="2" location="agent-workspace/agent_helpers.py:193">
P2: `invicti_paged_list` silently swallows unexpected response shapes by returning an empty `items` list and a minimal `meta` dict. If the API changes its wrapper schema or a caller passes a non-list endpoint, downstream consumers (`invicti_website_search`, `invicti_issues_sample`, etc.) receive empty results with no clear failure signal, making API regressions hard to detect. Consider raising a descriptive error when the response does not match the expected list shapes so callers fail fast instead of proceeding with misleading empty data.</violation>
</file>

<file name="domain-skills/invicti/invicti-api-verification.md">

<violation number="1" location="domain-skills/invicti/invicti-api-verification.md:14">
P1: The instructions for collecting datasets use many `/api/1.0/.../list` endpoints, but they omit pagination guidance. Invicti list endpoints paginate with `page` and `pageSize` query parameters (default `pageSize: 20`, max `200`). Responses include pagination metadata such as `HasNextPage` and `List`. Without iterating through pages, consumers will fetch only the first page and produce incomplete summaries, which also corrupts the downstream joins and correlations described in this doc. Consider adding a note about pagination parameters and how to iterate through result pages before summarizing and correlating data.</violation>
</file>

Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic


## Humans
- Current user: `GET /api/1.0/account/me`
- Teams: `GET /api/1.0/team/list`

@cubic-dev-ai cubic-dev-ai Bot Jul 6, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: The instructions for collecting datasets use many /api/1.0/.../list endpoints, but they omit pagination guidance. Invicti list endpoints paginate with page and pageSize query parameters (default pageSize: 20, max 200). Responses include pagination metadata such as HasNextPage and List. Without iterating through pages, consumers will fetch only the first page and produce incomplete summaries, which also corrupts the downstream joins and correlations described in this doc. Consider adding a note about pagination parameters and how to iterate through result pages before summarizing and correlating data.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At domain-skills/invicti/invicti-api-verification.md, line 14:

<comment>The instructions for collecting datasets use many `/api/1.0/.../list` endpoints, but they omit pagination guidance. Invicti list endpoints paginate with `page` and `pageSize` query parameters (default `pageSize: 20`, max `200`). Responses include pagination metadata such as `HasNextPage` and `List`. Without iterating through pages, consumers will fetch only the first page and produce incomplete summaries, which also corrupts the downstream joins and correlations described in this doc. Consider adding a note about pagination parameters and how to iterate through result pages before summarizing and correlating data.</comment>

<file context>
@@ -0,0 +1,35 @@
+
+## Humans
+- Current user: `GET /api/1.0/account/me`
+- Teams: `GET /api/1.0/team/list`
+- Roles: `GET /api/1.0/roles/list`
+- Members: `GET /api/1.0/members/list`
</file context>
Fix with cubic

meta = {"TotalItemCount": len(items), "nonPaged": True}
break

meta = {"shape": type(data).__name__}

@cubic-dev-ai cubic-dev-ai Bot Jul 6, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: invicti_paged_list silently swallows unexpected response shapes by returning an empty items list and a minimal meta dict. If the API changes its wrapper schema or a caller passes a non-list endpoint, downstream consumers (invicti_website_search, invicti_issues_sample, etc.) receive empty results with no clear failure signal, making API regressions hard to detect. Consider raising a descriptive error when the response does not match the expected list shapes so callers fail fast instead of proceeding with misleading empty data.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At agent-workspace/agent_helpers.py, line 193:

<comment>`invicti_paged_list` silently swallows unexpected response shapes by returning an empty `items` list and a minimal `meta` dict. If the API changes its wrapper schema or a caller passes a non-list endpoint, downstream consumers (`invicti_website_search`, `invicti_issues_sample`, etc.) receive empty results with no clear failure signal, making API regressions hard to detect. Consider raising a descriptive error when the response does not match the expected list shapes so callers fail fast instead of proceeding with misleading empty data.</comment>

<file context>
@@ -5,3 +5,359 @@
+            meta = {"TotalItemCount": len(items), "nonPaged": True}
+            break
+
+        meta = {"shape": type(data).__name__}
+        break
+
</file context>
Fix with cubic

This additionally supports a domain-scoped env file at domain-skills/invicti/.env.
"""

if os.environ.get("INVICTI_USER_ID") and os.environ.get("INVICTI_TOKEN"):

@cubic-dev-ai cubic-dev-ai Bot Jul 6, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: The early return in _invicti_maybe_load_env() skips loading INVICTI_BASE_URL from .env files whenever INVICTI_USER_ID and INVICTI_TOKEN are already present in the environment. Because the inner loop only calls os.environ.setdefault, it is already safe to run without the early return—it will never overwrite existing environment variables. Removing this guard allows users to supply credentials via shell/CI while still picking up INVICTI_BASE_URL from a scoped .env file, avoiding silent fallback to the hardcoded cloud host.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At agent-workspace/agent_helpers.py, line 37:

<comment>The early return in `_invicti_maybe_load_env()` skips loading `INVICTI_BASE_URL` from `.env` files whenever `INVICTI_USER_ID` and `INVICTI_TOKEN` are already present in the environment. Because the inner loop only calls `os.environ.setdefault`, it is already safe to run without the early return—it will never overwrite existing environment variables. Removing this guard allows users to supply credentials via shell/CI while still picking up `INVICTI_BASE_URL` from a scoped `.env` file, avoiding silent fallback to the hardcoded cloud host.</comment>

<file context>
@@ -5,3 +5,359 @@
+    This additionally supports a domain-scoped env file at domain-skills/invicti/.env.
+    """
+
+    if os.environ.get("INVICTI_USER_ID") and os.environ.get("INVICTI_TOKEN"):
+        return
+
</file context>
Fix with cubic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant