Run any Skill in Manus with one click

$pwd:

sast-cryptography-testing

Name: Sast Cryptography Testing
Author: anshumanbh

// Investigate cryptographic vulnerabilities in source code including weak algorithms, hardcoded secrets, and improper key management. Use when threat model identifies CWE-327 (Use of Broken Crypto), CWE-798 (Hardcoded Credentials), CWE-326 (Inadequate Encryption), or cryptography concerns.

Run Skill in Manus

$ git log --oneline --stat

stars:17

forks:6

updated:December 18, 2025 at 18:46

SKILL.md

readonly

name	sast-cryptography-testing
description	Investigate cryptographic vulnerabilities in source code including weak algorithms, hardcoded secrets, and improper key management. Use when threat model identifies CWE-327 (Use of Broken Crypto), CWE-798 (Hardcoded Credentials), CWE-326 (Inadequate Encryption), or cryptography concerns.
allowed-tools	Read, Grep, Glob

SAST Cryptography Testing Skill

Purpose

Investigate cryptographic weaknesses by analyzing:

Algorithm selection (weak vs strong)
Key management practices
Hardcoded secrets in code
Encryption implementation correctness

Vulnerability Types Covered

1. Weak Cryptographic Algorithms (CWE-327)

Use of broken or weak cryptographic algorithms.

Weak Algorithms:

# Hash functions - WEAK
hashlib.md5(password)
hashlib.sha1(password)
DES.new(key)

# Better alternatives
hashlib.sha256(data)
bcrypt.hash(password)
AES.new(key, AES.MODE_GCM)

2. Hardcoded Credentials (CWE-798)

Secrets embedded directly in source code.

Dangerous Patterns:

API_KEY = "sk-1234567890abcdef"
password = "admin123"
SECRET_KEY = "my-secret-key"
conn = psycopg2.connect("postgresql://user:password@host/db")

Safe Patterns:

API_KEY = os.environ.get("API_KEY")
password = get_secret("db_password")
SECRET_KEY = config.secret_key

3. Inadequate Encryption Strength (CWE-326)

Insufficient key sizes or weak modes.

Weak Configurations:

# Short key length
RSA.generate(1024)  # Should be 2048+
AES.new(key[:16])   # Only 128-bit

# Weak modes
AES.new(key, AES.MODE_ECB)  # ECB mode is insecure

4. Improper Key Management (CWE-321)

Keys stored or handled insecurely.

Dangerous Patterns:

# Key in version control
private_key = """-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA...
"""

# Key logged or exposed
logger.info(f"Using key: {encryption_key}")

Investigation Methodology

Step 1: Find Crypto Usage

Search for cryptographic operations:

Patterns: hashlib, cryptography, Crypto, pycryptodome
          encrypt, decrypt, hash, sign, verify
          AES, RSA, DES, MD5, SHA

Step 2: Identify Secrets

Look for potential hardcoded secrets:

Patterns: API_KEY, SECRET, PASSWORD, TOKEN
          private_key, secret_key, api_secret
          -----BEGIN, -----END
          sk-, pk-, ghp_, xox

Step 3: Check Key Sources

Verify where keys come from:

Patterns: os.environ, os.getenv
          config., settings.
          vault., secrets.

Step 4: Analyze Algorithm Choices

Verify algorithm strength:

Weak: md5, sha1, des, rc4, ecb
Strong: sha256, sha3, aes-gcm, argon2, bcrypt

Step 5: Cross-Reference with Org

Use github_org_code_search to find:

Common crypto libraries used
Secret management practices
Key rotation patterns

Classification Criteria

TRUE_POSITIVE:

Hardcoded secret in source code
Weak algorithm used for security-critical function
Key exposed in logs or version control

FALSE_POSITIVE:

Secret loaded from environment/config
Weak algorithm used for non-security purpose
Test/example data, not production secrets

UNVALIDATED:

Secret source is external (vault, KMS)
Algorithm choice depends on configuration

Output Format

### Verdict
- **verdict**: TRUE_POSITIVE or FALSE_POSITIVE
- **confidence_score**: 1-10
- **risk_level**: LOW, MEDIUM, HIGH, or CRITICAL

### Evidence
- **Location**: file:line
- **Issue Type**: Weak Algorithm / Hardcoded Secret / Key Exposure
- **Details**: Specific weakness found
- **Code**: Relevant code snippet (REDACT actual secrets)

### Impact
What an attacker could do with this:
- [Impact description]

### Recommendations
- [Specific fix with code example]

CWE Mapping

CWE-327: Use of Broken or Risky Cryptographic Algorithm
CWE-798: Use of Hardcoded Credentials
CWE-326: Inadequate Encryption Strength
CWE-321: Use of Hardcoded Cryptographic Key
CWE-328: Reversible One-Way Hash

Safety Rules

ALWAYS redact actual secret values in evidence
Replace with [REDACTED] or similar placeholder
Only analyze code in the repository provided
Do not attempt to use discovered secrets

related-skills.json

same repository

sast-authentication-testing.md

from "anshumanbh/vulnvibes"

Investigate authentication vulnerabilities in source code including missing authentication, weak authentication, and session management issues. Use when threat model identifies CWE-287 (Improper Authentication), CWE-384 (Session Fixation), CWE-306 (Missing Authentication), or authentication concerns.

2025-12-1817

sast-authorization-testing.md

from "anshumanbh/vulnvibes"

Investigate authorization vulnerabilities in source code including IDOR, privilege escalation, and missing access controls. Use when threat model identifies CWE-639 (IDOR), CWE-862 (Missing Authorization), CWE-863 (Incorrect Authorization), CWE-269 (Privilege Escalation), or access control concerns.

2025-12-1817

sast-browser-security-testing.md

from "anshumanbh/vulnvibes"

Investigate browser security vulnerabilities including CORS misconfiguration, CSRF, clickjacking, and cookie security. Use when threat model identifies CWE-346 (Origin Validation), CWE-942 (Permissive CORS), CWE-352 (CSRF), CWE-1021 (Clickjacking), or browser security concerns.

2025-12-1817

sast-data-exposure-testing.md

from "anshumanbh/vulnvibes"

Investigate data exposure vulnerabilities in source code including PII leakage, sensitive data logging, and information disclosure. Use when threat model identifies CWE-200 (Information Exposure), CWE-532 (Sensitive Data in Logs), CWE-359 (Privacy Violation), or data exposure concerns.

2025-12-1817

sast-deserialization-testing.md

from "anshumanbh/vulnvibes"

Investigate insecure deserialization vulnerabilities that can lead to RCE or data manipulation. Use when threat model identifies CWE-502 (Deserialization of Untrusted Data), CWE-915 (Mass Assignment), or object deserialization concerns.

2025-12-1817

sast-file-security-testing.md

from "anshumanbh/vulnvibes"

Investigate file operation vulnerabilities including unrestricted file upload, path traversal in file operations, and insecure file handling. Use when threat model identifies CWE-434 (Unrestricted Upload), CWE-73 (External Control of File Path), CWE-427 (Uncontrolled Search Path), or file security concerns.

2025-12-1817

package.json

"author": "anshumanbh"

"repository": "anshumanbh/vulnvibes"

View GitHub Repository View Creator Repositories

$ install --global

$ download --local

Run Skill in Manus

$ useful --forSOC

Information Security AnalystsComputer and Mathematical Occupations15-1212L4

name	sast-cryptography-testing
description	Investigate cryptographic vulnerabilities in source code including weak algorithms, hardcoded secrets, and improper key management. Use when threat model identifies CWE-327 (Use of Broken Crypto), CWE-798 (Hardcoded Credentials), CWE-326 (Inadequate Encryption), or cryptography concerns.
allowed-tools	Read, Grep, Glob

SAST Cryptography Testing Skill

Purpose

Investigate cryptographic weaknesses by analyzing:

Algorithm selection (weak vs strong)
Key management practices
Hardcoded secrets in code
Encryption implementation correctness

Vulnerability Types Covered

1. Weak Cryptographic Algorithms (CWE-327)

Use of broken or weak cryptographic algorithms.

Weak Algorithms:

# Hash functions - WEAK
hashlib.md5(password)
hashlib.sha1(password)
DES.new(key)

# Better alternatives
hashlib.sha256(data)
bcrypt.hash(password)
AES.new(key, AES.MODE_GCM)

2. Hardcoded Credentials (CWE-798)

Secrets embedded directly in source code.

Dangerous Patterns:

API_KEY = "sk-1234567890abcdef"
password = "admin123"
SECRET_KEY = "my-secret-key"
conn = psycopg2.connect("postgresql://user:password@host/db")

Safe Patterns:

API_KEY = os.environ.get("API_KEY")
password = get_secret("db_password")
SECRET_KEY = config.secret_key

3. Inadequate Encryption Strength (CWE-326)

Insufficient key sizes or weak modes.

Weak Configurations:

# Short key length
RSA.generate(1024)  # Should be 2048+
AES.new(key[:16])   # Only 128-bit

# Weak modes
AES.new(key, AES.MODE_ECB)  # ECB mode is insecure

4. Improper Key Management (CWE-321)

Keys stored or handled insecurely.

Dangerous Patterns:

# Key in version control
private_key = """-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA...
"""

# Key logged or exposed
logger.info(f"Using key: {encryption_key}")

Investigation Methodology

Step 1: Find Crypto Usage

Search for cryptographic operations:

Patterns: hashlib, cryptography, Crypto, pycryptodome
          encrypt, decrypt, hash, sign, verify
          AES, RSA, DES, MD5, SHA

Step 2: Identify Secrets

Look for potential hardcoded secrets:

Patterns: API_KEY, SECRET, PASSWORD, TOKEN
          private_key, secret_key, api_secret
          -----BEGIN, -----END
          sk-, pk-, ghp_, xox

Step 3: Check Key Sources

Verify where keys come from:

Patterns: os.environ, os.getenv
          config., settings.
          vault., secrets.

Step 4: Analyze Algorithm Choices

Verify algorithm strength:

Weak: md5, sha1, des, rc4, ecb
Strong: sha256, sha3, aes-gcm, argon2, bcrypt

Step 5: Cross-Reference with Org

Use github_org_code_search to find:

Common crypto libraries used
Secret management practices
Key rotation patterns

Classification Criteria

TRUE_POSITIVE:

Hardcoded secret in source code
Weak algorithm used for security-critical function
Key exposed in logs or version control

FALSE_POSITIVE:

Secret loaded from environment/config
Weak algorithm used for non-security purpose
Test/example data, not production secrets

UNVALIDATED:

Secret source is external (vault, KMS)
Algorithm choice depends on configuration

Output Format

### Verdict
- **verdict**: TRUE_POSITIVE or FALSE_POSITIVE
- **confidence_score**: 1-10
- **risk_level**: LOW, MEDIUM, HIGH, or CRITICAL

### Evidence
- **Location**: file:line
- **Issue Type**: Weak Algorithm / Hardcoded Secret / Key Exposure
- **Details**: Specific weakness found
- **Code**: Relevant code snippet (REDACT actual secrets)

### Impact
What an attacker could do with this:
- [Impact description]

### Recommendations
- [Specific fix with code example]

CWE Mapping

CWE-327: Use of Broken or Risky Cryptographic Algorithm
CWE-798: Use of Hardcoded Credentials
CWE-326: Inadequate Encryption Strength
CWE-321: Use of Hardcoded Cryptographic Key
CWE-328: Reversible One-Way Hash

Safety Rules

ALWAYS redact actual secret values in evidence
Replace with [REDACTED] or similar placeholder
Only analyze code in the repository provided
Do not attempt to use discovered secrets

sast-cryptography-testing

SAST Cryptography Testing Skill

Purpose

Vulnerability Types Covered

1. Weak Cryptographic Algorithms (CWE-327)

2. Hardcoded Credentials (CWE-798)

3. Inadequate Encryption Strength (CWE-326)

4. Improper Key Management (CWE-321)

Investigation Methodology

Step 1: Find Crypto Usage

Step 2: Identify Secrets

Step 3: Check Key Sources

Step 4: Analyze Algorithm Choices

Step 5: Cross-Reference with Org

Classification Criteria

Output Format

CWE Mapping

Safety Rules

More from this repository

More from this repository

SAST Cryptography Testing Skill

Purpose

Vulnerability Types Covered

1. Weak Cryptographic Algorithms (CWE-327)

2. Hardcoded Credentials (CWE-798)

3. Inadequate Encryption Strength (CWE-326)

4. Improper Key Management (CWE-321)

Investigation Methodology

Step 1: Find Crypto Usage

Step 2: Identify Secrets

Step 3: Check Key Sources

Step 4: Analyze Algorithm Choices

Step 5: Cross-Reference with Org

Classification Criteria

Output Format

CWE Mapping

Safety Rules