detecting-weak-cryptography
Scan a source tree for weak cryptographic primitives: MD5 / SHA-1 used for security purposes, DES / 3DES / RC4 ciphers, ECB block mode, custom-built crypto (XOR loops, hand-rolled HMAC), hardcoded IVs, predictable random (Math.random / java.util.Random for crypto seeds), missing certificate verification (verify=False, rejectUnauthorized: false). Use when: pre-merge gate on crypto-touching code, audit before SOC2 / PCI assessment, post-incident review when "we found a weakness in our token signing." Threshold: any call to a known-weak algorithm with non-test context, OR cert verification explicitly disabled, OR a custom crypto loop pattern. Trigger with: "scan weak crypto", "find MD5 usage", "check ECB mode", "audit ssl verify", "weak random".
What this skill does
# Detecting Weak Cryptography
## Overview
Weak cryptography (CWE-327 Use of a Broken or Risky Cryptographic
Algorithm, CWE-330 Use of Insufficiently Random Values) shows up
when engineers use the convenient API instead of the cryptographic
one. `hashlib.md5(password)` is faster to type than the correct
bcrypt/argon2 invocation; `Math.random()` returns a number quickly
without needing to know about `crypto.randomBytes()`.
The fix is universal: use the modern primitive. SHA-256 for general
hashing, bcrypt/argon2/scrypt for passwords, AES-GCM for encryption,
HMAC-SHA256 for signing, `secrets` / `crypto.randomBytes` /
`SecureRandom` for randomness.
## When the skill produces findings
| Finding | Severity | Threshold | Affected control |
|---|---|---|---|
| MD5 used in security context | **HIGH** | hashlib.md5, MessageDigest.MD5, CryptoJS.MD5 | CWE-327 |
| SHA-1 used in security context | **HIGH** | hashlib.sha1, etc. | CWE-327 |
| DES / 3DES cipher | **CRITICAL** | DESCrypto, "DES/CBC", "DESede" | CWE-327 |
| RC4 cipher | **CRITICAL** | "ARC4", "RC4" | CWE-327 |
| AES ECB mode | **CRITICAL** | "AES/ECB" or `MODE_ECB` | CWE-327 |
| Hardcoded IV (initialization vector) | **CRITICAL** | IV literal in source | CWE-329 |
| Custom XOR-based "encryption" | **CRITICAL** | XOR loop over bytes | CWE-327 |
| Predictable random for crypto seed | **CRITICAL** | Math.random / java.util.Random / random.random for keys | CWE-330 |
| TLS cert verification disabled | **CRITICAL** | verify=False, rejectUnauthorized:false, ServerCertificateValidationCallback returning true | CWE-295 |
| Hardcoded HMAC secret | **HIGH** | Long literal in HMAC constructor | CWE-321 |
| Insecure password hashing (no salt, no KDF) | **CRITICAL** | hashlib.sha256(password) without bcrypt/argon2 | CWE-916 |
## Prerequisites
- Python 3.9+
- Source tree on local filesystem
## Instructions
### Run
```bash
python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-weak-cryptography/scripts/scan_weak_crypto.py /path/to/repo
```
Options: `--output`, `--format`, `--min-severity`, `--include-tests`,
`--languages`, `--allow-md5-checksums` (excludes MD5 used in
non-security contexts like content-addressable storage).
### Interpret
CRITICAL = direct cryptographic break available against the
algorithm. CVEs, public attack tools, sometimes pre-computed
tables (rainbow tables for MD5/SHA-1).
HIGH = algorithm collision-broken (MD5, SHA-1) but the specific
use case may tolerate the weakness (file-deduplication checksums,
non-security HMAC). Verify the usage context.
### Remediation
See `references/PLAYBOOK.md` for per-primitive migration. Modern
defaults: SHA-256/SHA-3 for hashing, AES-256-GCM for encryption,
HMAC-SHA-256 for signing, secrets-grade random for keys, bcrypt /
argon2id for password storage.
## Examples
### Pre-merge gate
```bash
python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-weak-cryptography/scripts/scan_weak_crypto.py \
--min-severity high $(git diff --name-only main...HEAD | tr '\n' ' ')
```
### CI
```yaml
- name: Weak-crypto scan
run: |
python3 plugins/security/penetration-tester/skills/detecting-weak-cryptography/scripts/scan_weak_crypto.py \
. --min-severity high
```
## Output
JSON / JSONL / Markdown. Exit codes: 0 / 1 / 2.
## Error Handling
False positives common on:
- MD5 used for content-addressable storage (caches, content hashes)
where collision resistance against ATTACKERS isn't needed — use
`--allow-md5-checksums`.
- HMAC-MD5 — broken against adversaries but acceptable as an
integrity check inside a TLS session where the channel is
already authenticated.
Verify each finding by reading whether the algorithm's failure
mode (collision, preimage, etc.) is actually exploitable in
context.
## Resources
- `references/THEORY.md` — Per-primitive attack model (why MD5 /
SHA-1 are collision-broken, why ECB leaks structure, why
Math.random is non-crypto-grade)
- `references/PLAYBOOK.md` — Per-language modern-crypto recipes
(Python cryptography library, Node crypto, Java JCA with
modern algorithms, Go crypto/rand + crypto/cipher AEAD)
Related in Backend & APIs
jfrog
IncludedInteract with the JFrog Platform via the JFrog CLI and REST/GraphQL APIs. Use this skill when the user wants to manage Artifactory repositories, upload or download artifacts, manage builds, configure permissions, manage users and groups, work with access tokens, configure JFrog CLI servers, search artifacts, manage properties, set up replication, manage JFrog Projects, run security audits or scans, look up CVE details, query exposures scan results from JFrog Advanced Security, manage release bundles and lifecycle operations, aggregate or export platform data, or perform any JFrog Platform administration task. Also use when the user mentions jf, jfrog, artifactory, xray, distribution, evidence, apptrust, onemodel, graphql, workers, mission control, curation, advanced security, exposures, or any JFrog product name.
cupynumeric-migration-readiness
IncludedPre-migration readiness assessor for porting NumPy to cuPyNumeric. Use BEFORE substantial porting work begins when the user asks whether code will scale on GPU, whether they should migrate to cuPyNumeric, which NumPy patterns transfer cleanly, what must be refactored before porting, or mentions pre-port assessment, scaling analysis, or refactor planning. Inspect the user's source code, look up NumPy usage, cross-reference the cuPyNumeric API support manifest, and distinguish distributed-scaling-friendly patterns from blockers such as unsupported APIs, scalar synchronization, host round-trips, Python/object-heavy control flow, shape/data-dependent branching, and in-place mutation hazards. Produce a verdict of READY, LIGHT REFACTOR, SIGNIFICANT REFACTOR, or NOT RECOMMENDED, with concrete refactor pointers.
alibabacloud-data-agent-skill
IncludedInvoke Alibaba Cloud Apsara Data Agent for Analytics via CLI to perform natural language-driven data analysis on enterprise databases. Data Agent for Analytics is an intelligent data analysis agent developed by Alibaba Cloud Database team for enterprise users. It automatically completes requirement analysis, data understanding, analysis insights, and report generation based on natural language descriptions. This tool supports: discovering data resources (instances/databases/tables) managed in DMS, initiating query or deep analysis sessions, real-time progress tracking, and retrieving analysis conclusions and generated reports. Use this Skill when users need to query databases, analyze data trends, generate data reports, ask questions in natural language, or mention "Data Agent", "data analysis", "database query", "SQL analysis", "data insights".
token-optimizer
IncludedReduce OpenClaw token usage and API costs through smart model routing, heartbeat optimization, budget tracking, and native 2026.2.15 features (session pruning, bootstrap size limits, cache TTL alignment). Use when token costs are high, API rate limits are being hit, or hosting multiple agents at scale. The 4 executable scripts (context_optimizer, model_router, heartbeat_optimizer, token_tracker) are local-only — no network requests, no subprocess calls, no system modifications. Reference files (PROVIDERS.md, config-patches.json) document optional multi-provider strategies that require external API keys and network access if you choose to use them. See SECURITY.md for full breakdown.
resend-cli
IncludedUse this skill when the task is specifically about operating Resend from an AI agent, terminal session, or CI job via the official resend CLI: installing/authenticating the CLI, sending/listing/updating/cancelling emails, batch sends, domains and DNS, webhooks and local listeners, inbound receiving, contacts, topics, segments, broadcasts, templates, API keys, profiles, or debugging Resend CLI/API failures. Trigger on mentions of Resend CLI, `resend`, `resend doctor`, `resend emails send`, `resend domains`, `resend webhooks listen`, `resend emails receiving`, or agent-friendly terminal automation.
alibabacloud-odps-maxframe-coding
IncludedUse this skill for MaxFrame SDK development and documentation navigation on Alibaba Cloud MaxCompute (ODPS). Helps answer MaxFrame API, concept, official example, and supported pandas API questions; create data processing programs; read/write MaxCompute tables; debug jobs (remote or local); and build custom DPE runtime images. Trigger when users mention MaxFrame, MaxCompute with MaxFrame, ODPS table processing, DPE runtime, MaxFrame docs/examples, DataFrame/Tensor operations, or GPU runtime setup. Works for both English and Chinese queries about Alibaba Cloud data processing with MaxFrame.