Run any Skill in Manus with one click

$pwd:

detecting-weak-cryptography

Name: Detecting Weak Cryptography
Author: jeremylongshore

// Scan a source tree for weak cryptographic primitives: MD5 / SHA-1 used for security purposes, DES / 3DES / RC4 ciphers, ECB block mode, custom-built crypto (XOR loops, hand-rolled HMAC), hardcoded IVs, predictable random (Math.random / java.util.Random for crypto seeds), missing certificate verification (verify=False, rejectUnauthorized: false). Use when: pre-merge gate on crypto-touching code, audit before SOC2 / PCI assessment, post-incident review when "we found a weakness in our token signing." Threshold: any call to a known-weak algorithm with non-test context, OR cert verification explicitly disabled, OR a custom crypto loop pattern. Trigger with: "scan weak crypto", "find MD5 usage", "check ECB mode", "audit ssl verify", "weak random".

Run Skill in Manus

$ git log --oneline --stat

stars:2,267

forks:315

updated:May 31, 2026 at 04:18

File Explorer

4 files

SKILL.md

readonly

name	detecting-weak-cryptography
description	Scan a source tree for weak cryptographic primitives: MD5 / SHA-1 used for security purposes, DES / 3DES / RC4 ciphers, ECB block mode, custom-built crypto (XOR loops, hand-rolled HMAC), hardcoded IVs, predictable random (Math.random / java.util.Random for crypto seeds), missing certificate verification (verify=False, rejectUnauthorized: false). Use when: pre-merge gate on crypto-touching code, audit before SOC2 / PCI assessment, post-incident review when "we found a weakness in our token signing." Threshold: any call to a known-weak algorithm with non-test context, OR cert verification explicitly disabled, OR a custom crypto loop pattern. Trigger with: "scan weak crypto", "find MD5 usage", "check ECB mode", "audit ssl verify", "weak random".
allowed-tools	["Read","Bash(python3:*)","Glob","Grep"]
disallowed-tools	["Bash(rm:)","Bash(curl:)"]
version	3.0.0-dev
author	Jeremy Longshore <jeremy@intentsolutions.io>
license	MIT
compatibility	Designed for Claude Code
tags	["security","static-analysis","cryptography","pentest"]

Detecting Weak Cryptography

Overview

Weak cryptography (CWE-327 Use of a Broken or Risky Cryptographic Algorithm, CWE-330 Use of Insufficiently Random Values) shows up when engineers use the convenient API instead of the cryptographic one. hashlib.md5(password) is faster to type than the correct bcrypt/argon2 invocation; Math.random() returns a number quickly without needing to know about crypto.randomBytes().

The fix is universal: use the modern primitive. SHA-256 for general hashing, bcrypt/argon2/scrypt for passwords, AES-GCM for encryption, HMAC-SHA256 for signing, secrets / crypto.randomBytes / SecureRandom for randomness.

When the skill produces findings

Finding	Severity	Threshold	Affected control
MD5 used in security context	HIGH	hashlib.md5, MessageDigest.MD5, CryptoJS.MD5	CWE-327
SHA-1 used in security context	HIGH	hashlib.sha1, etc.	CWE-327
DES / 3DES cipher	CRITICAL	DESCrypto, "DES/CBC", "DESede"	CWE-327
RC4 cipher	CRITICAL	"ARC4", "RC4"	CWE-327
AES ECB mode	CRITICAL	"AES/ECB" or `MODE_ECB`	CWE-327
Hardcoded IV (initialization vector)	CRITICAL	IV literal in source	CWE-329
Custom XOR-based "encryption"	CRITICAL	XOR loop over bytes	CWE-327
Predictable random for crypto seed	CRITICAL	Math.random / java.util.Random / random.random for keys	CWE-330
TLS cert verification disabled	CRITICAL	verify=False, rejectUnauthorized:false, ServerCertificateValidationCallback returning true	CWE-295
Hardcoded HMAC secret	HIGH	Long literal in HMAC constructor	CWE-321
Insecure password hashing (no salt, no KDF)	CRITICAL	hashlib.sha256(password) without bcrypt/argon2	CWE-916

Prerequisites

Python 3.9+
Source tree on local filesystem

Instructions

Run

python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-weak-cryptography/scripts/scan_weak_crypto.py /path/to/repo

Options: --output, --format, --min-severity, --include-tests, --languages, --allow-md5-checksums (excludes MD5 used in non-security contexts like content-addressable storage).

Interpret

CRITICAL = direct cryptographic break available against the algorithm. CVEs, public attack tools, sometimes pre-computed tables (rainbow tables for MD5/SHA-1).

HIGH = algorithm collision-broken (MD5, SHA-1) but the specific use case may tolerate the weakness (file-deduplication checksums, non-security HMAC). Verify the usage context.

Remediation

See references/PLAYBOOK.md for per-primitive migration. Modern defaults: SHA-256/SHA-3 for hashing, AES-256-GCM for encryption, HMAC-SHA-256 for signing, secrets-grade random for keys, bcrypt / argon2id for password storage.

Examples

Pre-merge gate

python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-weak-cryptography/scripts/scan_weak_crypto.py \
    --min-severity high $(git diff --name-only main...HEAD | tr '\n' ' ')

CI

- name: Weak-crypto scan
  run: |
    python3 plugins/security/penetration-tester/skills/detecting-weak-cryptography/scripts/scan_weak_crypto.py \
        . --min-severity high

Output

JSON / JSONL / Markdown. Exit codes: 0 / 1 / 2.

Error Handling

False positives common on:

MD5 used for content-addressable storage (caches, content hashes) where collision resistance against ATTACKERS isn't needed — use --allow-md5-checksums.
HMAC-MD5 — broken against adversaries but acceptable as an integrity check inside a TLS session where the channel is already authenticated.

Verify each finding by reading whether the algorithm's failure mode (collision, preimage, etc.) is actually exploitable in context.

Resources

references/THEORY.md — Per-primitive attack model (why MD5 / SHA-1 are collision-broken, why ECB leaks structure, why Math.random is non-crypto-grade)
references/PLAYBOOK.md — Per-language modern-crypto recipes (Python cryptography library, Node crypto, Java JCA with modern algorithms, Go crypto/rand + crypto/cipher AEAD)

related-skills.json

same repository

detecting-command-injection-patterns.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source tree for command-injection vulnerable patterns: shell=True calls in Python subprocess, os.system / os.popen with interpolated strings, Node child_process.exec with template literals, Ruby backticks / Kernel#system / Kernel#exec with interpolation, Go exec.Command with shell wrapping, PHP system / passthru / shell_exec / backticks with $-interpolation, Java Runtime.exec with concatenated args. Use when: pre-commit gate on code that calls out to shell utilities, audit of file-processing / archive-handling / image-conversion code, post-bug-report investigation for "we shell out to a tool." Threshold: any shell-invocation API called with a string that contains a variable interpolation, OR shell=True with anything other than a fixed literal. Trigger with: "scan command injection", "shell=True audit", "find exec calls", "check os.system".

2026-05-312.3k

detecting-eval-exec-usage.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source tree for dynamic-code-execution APIs that an attacker can hijack: Python eval / exec / compile, JavaScript eval / Function() / setTimeout(string), Ruby eval / instance_eval / class_eval, Java ScriptEngine, PHP eval / assert($str), .NET Activator.CreateInstance / Reflection.Emit with dynamic input. Use when: pre-commit gate on any application that parses user-uploaded code (rule engines, formula evaluators, plugin systems), or post-bug-report when "we run user-supplied expressions." Threshold: any call to eval / exec / Function / similar where the argument is not a string literal. Trigger with: "scan eval", "find dynamic exec", "audit eval calls", "code injection patterns".

2026-05-312.3k

detecting-insecure-deserialization.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source tree for unsafe-by-default deserialization APIs: Python pickle.loads / cPickle / shelve / dill, Ruby Marshal.load / YAML.load (pre-3.1 default), Java ObjectInputStream.readObject, PHP unserialize, .NET BinaryFormatter / NetDataContractSerializer, Node.js node-serialize, JavaScript JSON.parse with reviver containing eval. Use when: pre-commit gate on services that accept binary blobs, audit of legacy job-queue code (workers deserializing tasks), post-bug-report when "we accept user-uploaded archives." Threshold: any call to a known-unsafe deserialization API on data that originates from user input, network, file upload, or untrusted storage. Trigger with: "scan deserialization", "pickle audit", "java readObject scan", "yaml.load check".

2026-05-312.3k

detecting-sql-injection-patterns.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source tree for SQL-injection vulnerable patterns: string concatenation into queries, f-string interpolation in SQL, string-format substitution into raw queries, deprecated cursor methods (cursor.execute with % formatting), Knex / Sequelize raw() with template interpolation, sequelize.query with replacements. Use when: pre-commit code review, post-feature SQL-touching release, inheriting a legacy codebase that predates ORMs, or post-bug-report investigation. Threshold: any source line where SQL keywords (SELECT / INSERT / UPDATE / DELETE / FROM / WHERE) appear in a string that's being built via concatenation, f-string, %-format, or .format() with variable input. Trigger with: "scan for sqli", "sql injection patterns", "check raw queries", "audit cursor.execute".

2026-05-312.3k

scanning-for-hardcoded-secrets.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source-code tree for hardcoded credentials embedded in source files: AWS access keys, GitHub tokens, Stripe keys, Slack tokens, Anthropic API keys, OpenAI keys, JWT signing secrets, generic base64-encoded passwords, RSA / SSH private keys, and high-entropy string literals that pattern-match common credential shapes. Use when: pre-commit gate before pushing a feature branch, audit before SOC2, post-incident scan after a leak, or inheriting a codebase you didn't write. Threshold: any source file contains a string that matches a canonical credential regex (AWS AKIA prefix, GitHub ghp_ prefix, etc.) OR a string with Shannon entropy above 4.5 in a field context (key=, token:, secret=). Trigger with: "scan secrets", "credential scan", "find hardcoded keys", "leak check".

2026-05-312.3k

detecting-directory-listing.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Probe a target for directories that return auto-generated index listings instead of denying or serving a specific file — exposes the full file tree under any reachable directory, including files the application never linked to. Use when: post-deploy verification on a static-asset host, security audit before SOC2, or following up on a finding from skill #6 (exposed-files) where a backup-file path returned 200 with HTML body instead of the expected file content (suggests autoindex serving a directory listing). Threshold: any directory-shaped path returns 200 with HTML body matching the framework-specific autoindex fingerprint (nginx fancyindex, Apache mod_autoindex Index of/, Caddy browse, Lighttpd mod_dirlisting, etc.). Trigger with: "directory listing check", "autoindex detection", "open directory scan".

2026-05-312.3k

package.json

"author": "jeremylongshore"

"repository": "jeremylongshore/claude-code-plugins-plus-skills"

View GitHub Repository View Creator Repositories

$ install --global

$ download --local

Run Skill in Manus

$ useful --forSOC

Information Security AnalystsComputer and Mathematical Occupations15-1212L4

name	detecting-weak-cryptography
description	Scan a source tree for weak cryptographic primitives: MD5 / SHA-1 used for security purposes, DES / 3DES / RC4 ciphers, ECB block mode, custom-built crypto (XOR loops, hand-rolled HMAC), hardcoded IVs, predictable random (Math.random / java.util.Random for crypto seeds), missing certificate verification (verify=False, rejectUnauthorized: false). Use when: pre-merge gate on crypto-touching code, audit before SOC2 / PCI assessment, post-incident review when "we found a weakness in our token signing." Threshold: any call to a known-weak algorithm with non-test context, OR cert verification explicitly disabled, OR a custom crypto loop pattern. Trigger with: "scan weak crypto", "find MD5 usage", "check ECB mode", "audit ssl verify", "weak random".
allowed-tools	["Read","Bash(python3:*)","Glob","Grep"]
disallowed-tools	["Bash(rm:)","Bash(curl:)"]
version	3.0.0-dev
author	Jeremy Longshore <jeremy@intentsolutions.io>
license	MIT
compatibility	Designed for Claude Code
tags	["security","static-analysis","cryptography","pentest"]

Detecting Weak Cryptography

Overview

When the skill produces findings

Finding	Severity	Threshold	Affected control
MD5 used in security context	HIGH	hashlib.md5, MessageDigest.MD5, CryptoJS.MD5	CWE-327
SHA-1 used in security context	HIGH	hashlib.sha1, etc.	CWE-327
DES / 3DES cipher	CRITICAL	DESCrypto, "DES/CBC", "DESede"	CWE-327
RC4 cipher	CRITICAL	"ARC4", "RC4"	CWE-327
AES ECB mode	CRITICAL	"AES/ECB" or `MODE_ECB`	CWE-327
Hardcoded IV (initialization vector)	CRITICAL	IV literal in source	CWE-329
Custom XOR-based "encryption"	CRITICAL	XOR loop over bytes	CWE-327
Predictable random for crypto seed	CRITICAL	Math.random / java.util.Random / random.random for keys	CWE-330
TLS cert verification disabled	CRITICAL	verify=False, rejectUnauthorized:false, ServerCertificateValidationCallback returning true	CWE-295
Hardcoded HMAC secret	HIGH	Long literal in HMAC constructor	CWE-321
Insecure password hashing (no salt, no KDF)	CRITICAL	hashlib.sha256(password) without bcrypt/argon2	CWE-916

Prerequisites

Python 3.9+
Source tree on local filesystem

Instructions

Run

python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-weak-cryptography/scripts/scan_weak_crypto.py /path/to/repo

Options: --output, --format, --min-severity, --include-tests, --languages, --allow-md5-checksums (excludes MD5 used in non-security contexts like content-addressable storage).

Interpret

CRITICAL = direct cryptographic break available against the algorithm. CVEs, public attack tools, sometimes pre-computed tables (rainbow tables for MD5/SHA-1).

HIGH = algorithm collision-broken (MD5, SHA-1) but the specific use case may tolerate the weakness (file-deduplication checksums, non-security HMAC). Verify the usage context.

Remediation

Examples

Pre-merge gate

python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-weak-cryptography/scripts/scan_weak_crypto.py \
    --min-severity high $(git diff --name-only main...HEAD | tr '\n' ' ')

CI

- name: Weak-crypto scan
  run: |
    python3 plugins/security/penetration-tester/skills/detecting-weak-cryptography/scripts/scan_weak_crypto.py \
        . --min-severity high

Output

JSON / JSONL / Markdown. Exit codes: 0 / 1 / 2.

Error Handling

False positives common on:

MD5 used for content-addressable storage (caches, content hashes) where collision resistance against ATTACKERS isn't needed — use --allow-md5-checksums.
HMAC-MD5 — broken against adversaries but acceptable as an integrity check inside a TLS session where the channel is already authenticated.

Verify each finding by reading whether the algorithm's failure mode (collision, preimage, etc.) is actually exploitable in context.

Resources

references/THEORY.md — Per-primitive attack model (why MD5 / SHA-1 are collision-broken, why ECB leaks structure, why Math.random is non-crypto-grade)
references/PLAYBOOK.md — Per-language modern-crypto recipes (Python cryptography library, Node crypto, Java JCA with modern algorithms, Go crypto/rand + crypto/cipher AEAD)

detecting-weak-cryptography

Detecting Weak Cryptography

Overview

When the skill produces findings

Prerequisites

Instructions

Run

Interpret

Remediation

Examples

Pre-merge gate

CI

Output

Error Handling

Resources

More from this repository

Detecting Weak Cryptography

Overview

When the skill produces findings

Prerequisites

Instructions

Run

Interpret

Remediation

Examples

Pre-merge gate

CI

Output

Error Handling

Resources

More from this repository