بنقرة واحدة
sc-crypto
Cryptography misuse detection — weak algorithms, ECB mode, static IVs, weak PRNG, and key management flaws
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
القائمة
Cryptography misuse detection — weak algorithms, ECB mode, static IVs, weak PRNG, and key management flaws
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
Comprehensive AI-powered security scanning suite with 48 skills covering OWASP Top 10, 7 language-specific deep scanners (Go, TypeScript, Python, PHP, Rust, Java, C#), supply chain analysis, infrastructure-as-code scanning, and 3000+ checklist items. Use when you need to run a security audit, find vulnerabilities, scan a PR for security issues, or perform a penetration test on a codebase.
C#/.NET-specific security deep scan
Go-specific security deep scan
Java/Kotlin-specific security deep scan
PHP-specific security deep scan
Python-specific security deep scan
استنادا إلى تصنيف SOC المهني
| name | sc-crypto |
| description | Cryptography misuse detection — weak algorithms, ECB mode, static IVs, weak PRNG, and key management flaws |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
Detects cryptographic implementation errors including use of weak algorithms (MD5, SHA1 for security), insecure cipher modes (ECB), static or hardcoded initialization vectors, missing authentication (AES-CBC without HMAC), weak pseudo-random number generators for security purposes, insufficient key lengths, and disabled certificate validation.
Called by sc-orchestrator during Phase 2. Always runs.
# Weak algorithms
"MD5", "md5", "SHA1", "sha1", "DES", "3DES", "RC4", "RC2",
"Blowfish", "IDEA"
# Cipher modes
"ECB", "CBC", "AES/ECB", "AES/CBC", "Mode.ECB"
# Initialization vectors
"iv =", "IV =", "nonce =", "static.*iv", "hardcoded.*iv",
"bytes(16)", "b'\\x00' * 16"
# Weak PRNG
"Math.random(", "random.random(", "random.randint(",
"rand()", "srand(", "java.util.Random", "System.Random"
# Key management
"key =", "encryption_key", "secret_key",
"AES.new(", "Cipher.getInstance(", "crypto.createCipheriv("
# TLS/SSL
"verify=False", "verify_ssl=False", "rejectUnauthorized: false",
"InsecureSkipVerify", "TLSv1", "SSLv3",
"CERT_NONE", "CERT_OPTIONAL"
1. Weak Hash for Security:
# VULNERABLE: MD5 for password hashing
password_hash = hashlib.md5(password.encode()).hexdigest()
# VULNERABLE: SHA1 for signature verification
signature = hashlib.sha1(data.encode()).hexdigest()
# SAFE: SHA-256+ for signatures, bcrypt/argon2 for passwords
password_hash = bcrypt.hashpw(password.encode(), bcrypt.gensalt())
signature = hashlib.sha256(data.encode()).hexdigest()
2. ECB Mode:
// VULNERABLE: ECB mode reveals patterns in encrypted data
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
// SAFE: GCM mode (authenticated encryption)
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
3. Static IV:
// VULNERABLE: Hardcoded IV
const iv = Buffer.from('0000000000000000');
const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);
// SAFE: Random IV per encryption
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);
4. Weak PRNG for Security:
// VULNERABLE: Math.random for security tokens
const token = Math.random().toString(36).substring(2);
// SAFE: Cryptographic random
const token = crypto.randomBytes(32).toString('hex');
5. Disabled Certificate Validation:
# VULNERABLE: Disabling SSL verification
requests.get(url, verify=False)
# SAFE
requests.get(url, verify=True) # Default