تشغيل أي مهارة في Manus بنقرة واحدة

custom-crypto-detection

النجوم٣

التفرعات١

آخر تحديث٢٣ يونيو ٢٠٢٦ في ٢٢:٤٠

Reviewer persona for detecting hand-rolled cryptography. Distinct from `sharp-edges` (which catches footgun APIs) and `key-lifecycle-review` (which covers lifecycle hygiene): this skill catches the class where someone wrote their own MAC, KDF, AEAD, signature scheme, secret-comparison routine, RNG, or password hash. Almost all custom crypto is broken. Use when reviewing any code that does math on bytes, manipulates buffers in a 'crypto-shaped' way, or implements something whose docs reference a named primitive (HMAC, AES-GCM, Argon2, X25519). Triggers: hand-rolled crypto, custom MAC, custom hash, custom KDF, byte XOR, constant-time compare, derived key, password hashing, HKDF, encrypt_then_mac, mac_then_encrypt, AE, AEAD.

التثبيت

التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.

تشغيل في Manus

المصدر

robert-chiniquy

robert-chiniquy/dotfiles

فتح مستودع GitHub عرض مستودعات المنشئ

تنزيل

تشغيل في Manus

SKILL.md

readonly

name	custom-crypto-detection
description	Reviewer persona for detecting hand-rolled cryptography. Distinct from `sharp-edges` (which catches footgun APIs) and `key-lifecycle-review` (which covers lifecycle hygiene): this skill catches the class where someone wrote their own MAC, KDF, AEAD, signature scheme, secret-comparison routine, RNG, or password hash. Almost all custom crypto is broken. Use when reviewing any code that does math on bytes, manipulates buffers in a 'crypto-shaped' way, or implements something whose docs reference a named primitive (HMAC, AES-GCM, Argon2, X25519). Triggers: hand-rolled crypto, custom MAC, custom hash, custom KDF, byte XOR, constant-time compare, derived key, password hashing, HKDF, encrypt_then_mac, mac_then_encrypt, AE, AEAD.
allowed-tools	["Read","Grep","Glob"]

Custom Crypto Detection

Finds code that re-implements primitives that should have been called from an established library. Custom crypto is almost always broken even when written by people who know they shouldn't.

When to use

Diff touches files in crypto/, auth/, security/, keys/, tokens/, password/, mac/, hash/, sign/
A new primitive name appears (MAC, HMAC, KDF, HKDF, PBKDF2, Argon2, scrypt, AEAD, AES-GCM, ChaCha20-Poly1305, X25519, Ed25519, ECDSA, RSA-PSS)
XOR over byte buffers in non-trivial code (XOR is the canonical "this looks like crypto" signal)
A function name contains encrypt, decrypt, sign, verify, hash, mac, derive_key, random and the implementation is more than a thin wrapper
Comments mention "secure enough", "good enough for our purposes", "we couldn't use library X so we…"

When NOT to use

Calling well-known libraries (libsodium, BoringSSL, ring, RustCrypto, Tink) — those are out of scope; use sharp-edges if the API is used incorrectly
Algorithm selection within a library — that's key-lifecycle-review or sharp-edges

Core posture

If the diff contains custom crypto, the default verdict is "rewrite to call a vetted library". Custom crypto is correct only when:

There is a documented threat model that the existing libraries demonstrably don't meet
The author is a cryptographer or has obtained a review from one
There are KAT (known-answer tests) and a fuzzing harness
The code is constant-time where needed and that's verified
There's a plan to replace with a vetted implementation when one becomes available

All four must hold simultaneously. If any is missing, the review verdict is "this should not ship; use $LIBRARY".

Common patterns to flag on sight

Reimplemented HMAC

def my_hmac(key, msg):
    return hashlib.sha256(key + msg).hexdigest()   # WRONG: length-extension

Issue: Length-extension attack. SHA-256 is a Merkle–Damgård hash; appending key+msg and hashing is the classic vulnerable construction.

Fix: hmac.new(key, msg, hashlib.sha256).hexdigest()

Naive secret comparison

if userToken == storedToken { ... }     // WRONG: timing oracle

Issue: Byte-by-byte short-circuit allows network timing oracle to recover the token.

Fix: subtle.ConstantTimeCompare, crypto.timingSafeEqual, hmac.compare_digest, subtle.ConstantTimeEq (Rust)

Roll-your-own KDF

const key = sha256(password + salt + 'pepper');   // WRONG: not slow

Issue: Password hashing must be slow and memory-hard. SHA-256 is neither.

Fix: Argon2id (preferred), scrypt, or bcrypt — never plain hash.

Encrypt-then-XOR

for (i = 0; i < len; i++) ciphertext[i] = plaintext[i] ^ key[i];

Issue: One-time-pad reuse the moment key is shorter than plaintext or reused across messages. No integrity. No nonce. No authenticated encryption.

Fix: AES-GCM or ChaCha20-Poly1305 from a vetted library.

MAC-then-encrypt or encrypt-and-MAC

Modern AEAD modes do this correctly. Custom compositions are easy to get wrong (chosen-ciphertext, padding oracles). Flag any non-AEAD composition.

Custom signature schemes / "encrypt with private key"

Encryption and signature are different operations even when the math looks similar. RSA-encrypt-with-private-key is not a signature scheme. ECDSA without nonce safety leaks the key.

Custom random number generation

def my_token(): return ''.join(chr(time.time_ns() % 256) for _ in range(32))

Any RNG that isn't a documented CSPRNG.

Manual constant-time arithmetic

Even attempts at "constant-time" code can be miscompiled. If custom crypto needs constant-time guarantees, the only valid answer is:

Use a vetted library that documents constant-time
Or pair the implementation with TOB's constant-time-analysis plugin and accept the cost

Heuristic grep patterns

Run these as a first pass:

\bxor\b|\boplus\b
\bhash\(.*\+.*\)
\bencrypt.*xor
==.*token|==.*secret|==.*password
\.compare\(.*(token|secret|key|password|mac|hmac)
hashlib\.sha.*\+|md5\(.*\+
Math\.random|rand\(\)|random\.random

Rationalizations to reject

Rationalization	Reality
"It's just XOR / it's reversible by design"	XOR-based encryption is wrong unless it's a one-time pad with provably-fresh key material
"We don't have an HMAC library available"	Every modern stdlib has HMAC. If yours doesn't, your platform predates this concern.
"We control both sides"	Padding oracles, timing oracles, replay — these don't require attacker control of the protocol, just observation
"We've been running this in production for years without issue"	"Without observed issue." Crypto exploits are silent until used.
"It's only used for X"	Cryptographic primitives are misused when they're reused; the next maintainer extends the use case

Output format

For each finding:

Location (file:line)
Custom primitive identified (HMAC, KDF, AE, RNG, …)
Concrete attack (one paragraph)
Vetted replacement (specific function in a specific library)
Severity: Custom crypto findings default to High; ship-blocking unless a documented threat-model justification exists

References

"Cryptography Engineering" (Ferguson, Schneier, Kohno) Ch. 1 for the philosophical posture
libsodium / BoringSSL / RustCrypto / Tink — vetted-library catalog
BSI Technical Guideline TR-02102; NIST SP 800-series for algorithm selection
Latacora's cryptographic right-answers blog post

Status

v0.1 draft — covers the most common rolled-your-own patterns. Expansion: language-specific grep heuristics, FFI-wrapped C crypto, WebCrypto subtleties, post-quantum primitive misuse.

المزيد من هذا المستودع

نفس المستودع

authorization-model-review

robert-chiniquy/dotfiles

Reviewer persona for authorization models — RBAC, ABAC, ReBAC, and hybrids. Catches the bugs that ship after auth is correct but authz is wrong: missing tenant scoping, IDOR via predictable IDs, role escalation through unchecked write paths, permission caching staleness, transitive-trust loopholes, RBAC/ReBAC drift between policy doc and code. Use when reviewing endpoints that gate access by user/role/relationship, when adding a new role/permission/scope, when changing tenant isolation, or when designing a permission system from scratch. Triggers: RBAC, ABAC, ReBAC, IDOR, tenant isolation, multi-tenant, permission check, role, scope, principal, Zanzibar, OpenFGA, casbin, authz, can_, has_permission, isAuthorized.

2026-06-233

c1-dev-stack-in-squire

robert-chiniquy/dotfiles

Stand up a full c1 dev stack inside a Squire env — process-compose, postgres, envoy, pub-api, pub-auth, be-* services — wired so an external client can drive c1's gRPC surface end to end with TLS + OAuth2 client_credentials. Use when testing a Latchkey or other c1 client against a real (not stubbed) c1 backend, or when reproducing c1 server-side behavior locally. Triggers on: c1 dev env, squire c1 stack, pc/up, dev-util mint-test-client, test against c1, c1 OAuth client_credentials, run c1 integration tests in squire, repro buildkite integration test, TEST_LOCAL_EXEC, api_no_uplift.

2026-06-233

c1-squire-dispatch

robert-chiniquy/dotfiles

c1-specific values for the general squire dispatch protocols defined in squire-env-management. Provides the c1 gate bundle's contents, the task-family table for c1 work, the c1 always-actives, and the list of c1 skills that should NOT be spent on a squire env. Use when about to spawn a squire env to execute c1 work, when writing a brief for a remote c1 agent, or when filing a c1 bead intended for squire dispatch. Triggers: c1 squire dispatch, c1 squire brief, c1 remote work, c1 ephemeral env, c1 fire-and-forget.

2026-06-233

key-lifecycle-review

robert-chiniquy/dotfiles

Reviewer persona for the full lifecycle of cryptographic keys and high-value secrets: generation, storage, distribution, rotation, revocation, and destruction. Trail of Bits' `zeroize-audit` covers the destruction half; this skill covers the other four phases plus closes the loop with destruction. Use when reviewing key management code, secret stores, KMS integrations, rotation logic, key derivation, RNG usage, or any system that issues, holds, or revokes long-lived credentials. Triggers: key generation, key rotation, KMS, HSM, secret store, vault, key derivation, KDF, master key, DEK, KEK, rotation, revocation, RNG, entropy, random, secrets management.

2026-06-233

oauth-oidc-review

robert-chiniquy/dotfiles

Reviewer persona for OAuth 2.0 / 2.1 and OpenID Connect flow implementations. Catches the well-documented attack classes that still ship: missing PKCE, wildcard redirect URIs, mishandled refresh tokens, scope creep, mixed flows on a single endpoint, leaking tokens through referrer or logs, JWT signature bypass. Use when reviewing any code that issues, accepts, validates, exchanges, refreshes, revokes, or stores tokens; when designing a new auth integration; when a PR touches /authorize, /token, /userinfo, /jwks, /introspect, /revoke, OIDC discovery, or a third-party identity provider client. Triggers: OAuth, OIDC, JWT, PKCE, redirect_uri, scope, refresh token, access token, id_token, client_credentials, authorization code, implicit, device code, token exchange, identity provider, IdP, SSO.

2026-06-233

pr-deep-review

robert-chiniquy/dotfiles

Deep, multi-agent review of a PR or branch diff: fan out one focused subagent per dimension (security, scale, performance, correctness, idiomatic style, plus frontend when the diff warrants), adversarially verify every finding to kill false positives and pre-existing debt, tier what survives, then post agent-shaped inline comments to the PR. Has a re-review mode for when the author has addressed feedback. Use when the user asks to "deep review this branch/PR", "review the PR with subagents", "do a thorough review", "re-review the PR", or wants a higher-rigor pass than a single-shot review.

2026-06-233

name	custom-crypto-detection
description	Reviewer persona for detecting hand-rolled cryptography. Distinct from `sharp-edges` (which catches footgun APIs) and `key-lifecycle-review` (which covers lifecycle hygiene): this skill catches the class where someone wrote their own MAC, KDF, AEAD, signature scheme, secret-comparison routine, RNG, or password hash. Almost all custom crypto is broken. Use when reviewing any code that does math on bytes, manipulates buffers in a 'crypto-shaped' way, or implements something whose docs reference a named primitive (HMAC, AES-GCM, Argon2, X25519). Triggers: hand-rolled crypto, custom MAC, custom hash, custom KDF, byte XOR, constant-time compare, derived key, password hashing, HKDF, encrypt_then_mac, mac_then_encrypt, AE, AEAD.
allowed-tools	["Read","Grep","Glob"]

Custom Crypto Detection

Finds code that re-implements primitives that should have been called from an established library. Custom crypto is almost always broken even when written by people who know they shouldn't.

When to use

Diff touches files in crypto/, auth/, security/, keys/, tokens/, password/, mac/, hash/, sign/
A new primitive name appears (MAC, HMAC, KDF, HKDF, PBKDF2, Argon2, scrypt, AEAD, AES-GCM, ChaCha20-Poly1305, X25519, Ed25519, ECDSA, RSA-PSS)
XOR over byte buffers in non-trivial code (XOR is the canonical "this looks like crypto" signal)
A function name contains encrypt, decrypt, sign, verify, hash, mac, derive_key, random and the implementation is more than a thin wrapper
Comments mention "secure enough", "good enough for our purposes", "we couldn't use library X so we…"

When NOT to use

Calling well-known libraries (libsodium, BoringSSL, ring, RustCrypto, Tink) — those are out of scope; use sharp-edges if the API is used incorrectly
Algorithm selection within a library — that's key-lifecycle-review or sharp-edges

Core posture

If the diff contains custom crypto, the default verdict is "rewrite to call a vetted library". Custom crypto is correct only when:

There is a documented threat model that the existing libraries demonstrably don't meet
The author is a cryptographer or has obtained a review from one
There are KAT (known-answer tests) and a fuzzing harness
The code is constant-time where needed and that's verified
There's a plan to replace with a vetted implementation when one becomes available

All four must hold simultaneously. If any is missing, the review verdict is "this should not ship; use $LIBRARY".

Common patterns to flag on sight

Reimplemented HMAC

def my_hmac(key, msg):
    return hashlib.sha256(key + msg).hexdigest()   # WRONG: length-extension

Issue: Length-extension attack. SHA-256 is a Merkle–Damgård hash; appending key+msg and hashing is the classic vulnerable construction.

Fix: hmac.new(key, msg, hashlib.sha256).hexdigest()

Naive secret comparison

if userToken == storedToken { ... }     // WRONG: timing oracle

Issue: Byte-by-byte short-circuit allows network timing oracle to recover the token.

Fix: subtle.ConstantTimeCompare, crypto.timingSafeEqual, hmac.compare_digest, subtle.ConstantTimeEq (Rust)

Roll-your-own KDF

const key = sha256(password + salt + 'pepper');   // WRONG: not slow

Issue: Password hashing must be slow and memory-hard. SHA-256 is neither.

Fix: Argon2id (preferred), scrypt, or bcrypt — never plain hash.

Encrypt-then-XOR

for (i = 0; i < len; i++) ciphertext[i] = plaintext[i] ^ key[i];

Issue: One-time-pad reuse the moment key is shorter than plaintext or reused across messages. No integrity. No nonce. No authenticated encryption.

Fix: AES-GCM or ChaCha20-Poly1305 from a vetted library.

MAC-then-encrypt or encrypt-and-MAC

Modern AEAD modes do this correctly. Custom compositions are easy to get wrong (chosen-ciphertext, padding oracles). Flag any non-AEAD composition.

Custom signature schemes / "encrypt with private key"

Encryption and signature are different operations even when the math looks similar. RSA-encrypt-with-private-key is not a signature scheme. ECDSA without nonce safety leaks the key.

Custom random number generation

def my_token(): return ''.join(chr(time.time_ns() % 256) for _ in range(32))

Any RNG that isn't a documented CSPRNG.

Manual constant-time arithmetic

Even attempts at "constant-time" code can be miscompiled. If custom crypto needs constant-time guarantees, the only valid answer is:

Use a vetted library that documents constant-time
Or pair the implementation with TOB's constant-time-analysis plugin and accept the cost

Heuristic grep patterns

Run these as a first pass:

\bxor\b|\boplus\b
\bhash\(.*\+.*\)
\bencrypt.*xor
==.*token|==.*secret|==.*password
\.compare\(.*(token|secret|key|password|mac|hmac)
hashlib\.sha.*\+|md5\(.*\+
Math\.random|rand\(\)|random\.random

Rationalizations to reject

Rationalization	Reality
"It's just XOR / it's reversible by design"	XOR-based encryption is wrong unless it's a one-time pad with provably-fresh key material
"We don't have an HMAC library available"	Every modern stdlib has HMAC. If yours doesn't, your platform predates this concern.
"We control both sides"	Padding oracles, timing oracles, replay — these don't require attacker control of the protocol, just observation
"We've been running this in production for years without issue"	"Without observed issue." Crypto exploits are silent until used.
"It's only used for X"	Cryptographic primitives are misused when they're reused; the next maintainer extends the use case

Output format

For each finding:

Location (file:line)
Custom primitive identified (HMAC, KDF, AE, RNG, …)
Concrete attack (one paragraph)
Vetted replacement (specific function in a specific library)
Severity: Custom crypto findings default to High; ship-blocking unless a documented threat-model justification exists

References

"Cryptography Engineering" (Ferguson, Schneier, Kohno) Ch. 1 for the philosophical posture
libsodium / BoringSSL / RustCrypto / Tink — vetted-library catalog
BSI Technical Guideline TR-02102; NIST SP 800-series for algorithm selection
Latacora's cryptographic right-answers blog post

Status

v0.1 draft — covers the most common rolled-your-own patterns. Expansion: language-specific grep heuristics, FFI-wrapped C crypto, WebCrypto subtleties, post-quantum primitive misuse.