crypto-audit
Crypto Audit
This skill performs static code analysis for cryptographic vulnerabilities across JavaScript/TypeScript, Python, Go, Java, and Rust projects. It identifies 12 common crypto anti-patterns — weak algorithms, hardcoded keys, insecure randomness, insufficient key sizes, and more — mapping each finding to CWE and OWASP Top 10:2021 standards with concrete UNSAFE/SAFE code pairs for remediation.
When to Use
- When the user asks to "audit crypto", "review cryptographic code", or "check for weak encryption"
- When the user mentions "crypto audit", "cryptographic review", or "insecure crypto"
- When scanning code that imports cryptographic libraries (e.g.,
crypto,hashlib,javax.crypto,crypto/tls) - When reviewing code for compliance with cryptographic standards (FIPS, PCI-DSS)
- When a pull request modifies encryption, hashing, TLS configuration, or key management code
- When the user asks about "hardcoded keys", "weak hashing", "insecure random", or "deprecated TLS"
When NOT to Use
More from kalshamsi/claude-security-skills
pci-dss-audit
Use when auditing code for PCI-DSS v4.0 compliance, reviewing cardholder data handling, checking credit-card storage and transmission, hunting PAN logging, or answering \"is this code PCI-compliant?\".
2socket-sca
Supply chain analysis via Socket.dev CLI. Use when asked to scan dependencies for supply chain risks, run Socket SCA, audit npm/pip packages, detect typosquatting, or find malicious dependencies.
2bandit-sast
Use when scanning Python code for security vulnerabilities, running Bandit, performing Python SAST, auditing Python security bugs, or reviewing Python source for injection, weak crypto, or insecure deserialization.
2security-headers-audit
Use when reviewing HTTP security headers, checking a Content-Security-Policy, auditing CORS or HSTS configuration, evaluating X-Frame-Options or Permissions-Policy, inspecting header middleware, or hardening a web application's response headers.
2devsecops-pipeline
Generate GitHub Actions security CI/CD pipelines. Use when asked to generate security pipeline, DevSecOps workflow, CI/CD security, GitHub Actions security, create security workflow, add security scanning to CI, or set up automated security checks.
2security-test-generator
Use when writing security tests for a web application, building a vulnerability regression suite, creating pentest-style automated tests, generating runnable injection/XSS/auth test code, or adding security coverage to an existing test suite.
2