Does it support Infrastructure as Code (IaC)?

Yes, the skill is designed to review deployment files, Docker configurations, and IaC templates alongside source code for comprehensive security coverage.

Can it detect hardcoded passwords and API keys?

Yes, it uses advanced search patterns to find hardcoded credential pairs and fallback secrets that could be exploited if environment variables are missing.

How does this skill distinguish between dev and prod vulnerabilities?

The skill analyzes file paths and context, intentionally ignoring test fixtures, documentation examples, and development-only tools to focus on code that impacts production.

What is the difference between fail-open and fail-secure?

Fail-open allows an app to run with insecure defaults when config is missing, while fail-secure causes the app to crash or refuse to start until a secure configuration is provided.

What happens when a potential vulnerability is found?

The skill follows a workflow to verify the code path, confirm if the issue reaches production, and provides a detailed report including location, pattern, and exploitation impact.

Insecure Defaults Detector

Name: Insecure Defaults Detector
Author: monmacllcapp

bymonmacllcapp

0•

Security & Testing

Audits codebase for fail-open security vulnerabilities and weak default configurations that risk production exposure.

The Insecure Defaults skill empowers Claude to identify critical security flaws where applications fallback to unsafe settings when configuration is missing. It scans for hardcoded secrets, weak authentication flags, permissive CORS policies, and outdated cryptographic algorithms, specifically distinguishing between exploitable 'fail-open' patterns and safe 'fail-secure' behaviors. This skill is essential for performing deep security audits, reviewing Infrastructure as Code (IaC), and ensuring production environments remain hardened against unauthorized access by tracing code paths to confirm real-world impact.

Key Features

01Detects 'fail-open' fallbacks for environment variables and secrets

02Differentiates between production-critical vulnerabilities and safe test/dev environments

03Identifies permissive access controls like open CORS or insecure file permissions

04Scans for hardcoded credentials and weak default authentication settings

05Flags outdated or weak cryptographic algorithms in security-sensitive contexts

060 GitHub stars

Use Cases

01Analyzing legacy codebases for outdated cryptographic practices and weak defaults

02Reviewing CI/CD and Docker configuration files for hardcoded secrets

03Conducting pre-deployment security audits for web applications and APIs

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add monmacllcapp/skill-forks insecure-defaults

For use in Claude.ai and ChatGPT

Key Features

01Detects 'fail-open' fallbacks for environment variables and secrets

02Differentiates between production-critical vulnerabilities and safe test/dev environments

03Identifies permissive access controls like open CORS or insecure file permissions

04Scans for hardcoded credentials and weak default authentication settings

05Flags outdated or weak cryptographic algorithms in security-sensitive contexts

060 GitHub stars

Use Cases

01Analyzing legacy codebases for outdated cryptographic practices and weak defaults

02Reviewing CI/CD and Docker configuration files for hardcoded secrets

03Conducting pre-deployment security audits for web applications and APIs