원클릭으로
sc-crypto
Cryptography misuse detection — weak algorithms, ECB mode, static IVs, weak PRNG, and key management flaws
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Cryptography misuse detection — weak algorithms, ECB mode, static IVs, weak PRNG, and key management flaws
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Comprehensive AI-powered security scanning suite with 48 skills covering OWASP Top 10, 7 language-specific deep scanners (Go, TypeScript, Python, PHP, Rust, Java, C#), supply chain analysis, infrastructure-as-code scanning, and 3000+ checklist items. Use when you need to run a security audit, find vulnerabilities, scan a PR for security issues, or perform a penetration test on a codebase.
C#/.NET-specific security deep scan
Go-specific security deep scan
Java/Kotlin-specific security deep scan
PHP-specific security deep scan
Python-specific security deep scan
| name | sc-crypto |
| description | Cryptography misuse detection — weak algorithms, ECB mode, static IVs, weak PRNG, and key management flaws |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
Detects cryptographic implementation errors including use of weak algorithms (MD5, SHA1 for security), insecure cipher modes (ECB), static or hardcoded initialization vectors, missing authentication (AES-CBC without HMAC), weak pseudo-random number generators for security purposes, insufficient key lengths, and disabled certificate validation.
Called by sc-orchestrator during Phase 2. Always runs.
# Weak algorithms
"MD5", "md5", "SHA1", "sha1", "DES", "3DES", "RC4", "RC2",
"Blowfish", "IDEA"
# Cipher modes
"ECB", "CBC", "AES/ECB", "AES/CBC", "Mode.ECB"
# Initialization vectors
"iv =", "IV =", "nonce =", "static.*iv", "hardcoded.*iv",
"bytes(16)", "b'\\x00' * 16"
# Weak PRNG
"Math.random(", "random.random(", "random.randint(",
"rand()", "srand(", "java.util.Random", "System.Random"
# Key management
"key =", "encryption_key", "secret_key",
"AES.new(", "Cipher.getInstance(", "crypto.createCipheriv("
# TLS/SSL
"verify=False", "verify_ssl=False", "rejectUnauthorized: false",
"InsecureSkipVerify", "TLSv1", "SSLv3",
"CERT_NONE", "CERT_OPTIONAL"
1. Weak Hash for Security:
# VULNERABLE: MD5 for password hashing
password_hash = hashlib.md5(password.encode()).hexdigest()
# VULNERABLE: SHA1 for signature verification
signature = hashlib.sha1(data.encode()).hexdigest()
# SAFE: SHA-256+ for signatures, bcrypt/argon2 for passwords
password_hash = bcrypt.hashpw(password.encode(), bcrypt.gensalt())
signature = hashlib.sha256(data.encode()).hexdigest()
2. ECB Mode:
// VULNERABLE: ECB mode reveals patterns in encrypted data
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
// SAFE: GCM mode (authenticated encryption)
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
3. Static IV:
// VULNERABLE: Hardcoded IV
const iv = Buffer.from('0000000000000000');
const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);
// SAFE: Random IV per encryption
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);
4. Weak PRNG for Security:
// VULNERABLE: Math.random for security tokens
const token = Math.random().toString(36).substring(2);
// SAFE: Cryptographic random
const token = crypto.randomBytes(32).toString('hex');
5. Disabled Certificate Validation:
# VULNERABLE: Disabling SSL verification
requests.get(url, verify=False)
# SAFE
requests.get(url, verify=True) # Default