insecure-defaults
SKILL.md
Insecure Defaults Detection
Finds fail-open vulnerabilities where apps run insecurely with missing configuration. Distinguishes exploitable defaults from fail-secure patterns that crash safely.
- Fail-open (CRITICAL):
SECRET = env.get('KEY') or 'default'→ App runs with weak secret - Fail-secure (SAFE):
SECRET = env['KEY']→ App crashes if missing
When to Use
- Security audits of production applications (auth, crypto, API security)
- Configuration review of deployment files, IaC templates, Docker configs
- Code review of environment variable handling and secrets management
- Pre-deployment checks for hardcoded credentials or weak defaults