一键在 Manus 中运行任何 Skill

$pwd:

sast-cryptography-testing

Name: Sast Cryptography Testing
Author: anshumanbh

// Investigate cryptographic vulnerabilities in source code including weak algorithms, hardcoded secrets, and improper key management. Use when threat model identifies CWE-327 (Use of Broken Crypto), CWE-798 (Hardcoded Credentials), CWE-326 (Inadequate Encryption), or cryptography concerns.

在 Manus 中运行

$ git log --oneline --stat

stars:17

forks:6

updated:2025年12月18日 18:46

SKILL.md

readonly

name	sast-cryptography-testing
description	Investigate cryptographic vulnerabilities in source code including weak algorithms, hardcoded secrets, and improper key management. Use when threat model identifies CWE-327 (Use of Broken Crypto), CWE-798 (Hardcoded Credentials), CWE-326 (Inadequate Encryption), or cryptography concerns.
allowed-tools	Read, Grep, Glob

SAST Cryptography Testing Skill

Purpose

Investigate cryptographic weaknesses by analyzing:

Algorithm selection (weak vs strong)
Key management practices
Hardcoded secrets in code
Encryption implementation correctness

Vulnerability Types Covered

1. Weak Cryptographic Algorithms (CWE-327)

Use of broken or weak cryptographic algorithms.

Weak Algorithms:

# Hash functions - WEAK
hashlib.md5(password)
hashlib.sha1(password)
DES.new(key)

# Better alternatives
hashlib.sha256(data)
bcrypt.hash(password)
AES.new(key, AES.MODE_GCM)

2. Hardcoded Credentials (CWE-798)

Secrets embedded directly in source code.

Dangerous Patterns:

API_KEY = "sk-1234567890abcdef"
password = "admin123"
SECRET_KEY = "my-secret-key"
conn = psycopg2.connect("postgresql://user:password@host/db")

Safe Patterns:

API_KEY = os.environ.get("API_KEY")
password = get_secret("db_password")
SECRET_KEY = config.secret_key

3. Inadequate Encryption Strength (CWE-326)

Insufficient key sizes or weak modes.

Weak Configurations:

# Short key length
RSA.generate(1024)  # Should be 2048+
AES.new(key[:16])   # Only 128-bit

# Weak modes
AES.new(key, AES.MODE_ECB)  # ECB mode is insecure

4. Improper Key Management (CWE-321)

Keys stored or handled insecurely.

Dangerous Patterns:

# Key in version control
private_key = """-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA...
"""

# Key logged or exposed
logger.info(f"Using key: {encryption_key}")

Investigation Methodology

Step 1: Find Crypto Usage

Search for cryptographic operations:

Patterns: hashlib, cryptography, Crypto, pycryptodome
          encrypt, decrypt, hash, sign, verify
          AES, RSA, DES, MD5, SHA

Step 2: Identify Secrets

Look for potential hardcoded secrets:

Patterns: API_KEY, SECRET, PASSWORD, TOKEN
          private_key, secret_key, api_secret
          -----BEGIN, -----END
          sk-, pk-, ghp_, xox

Step 3: Check Key Sources

Verify where keys come from:

Patterns: os.environ, os.getenv
          config., settings.
          vault., secrets.

Step 4: Analyze Algorithm Choices

Verify algorithm strength:

Weak: md5, sha1, des, rc4, ecb
Strong: sha256, sha3, aes-gcm, argon2, bcrypt

Step 5: Cross-Reference with Org

Use github_org_code_search to find:

Common crypto libraries used
Secret management practices
Key rotation patterns

Classification Criteria

TRUE_POSITIVE:

Hardcoded secret in source code
Weak algorithm used for security-critical function
Key exposed in logs or version control

FALSE_POSITIVE:

Secret loaded from environment/config
Weak algorithm used for non-security purpose
Test/example data, not production secrets

UNVALIDATED:

Secret source is external (vault, KMS)
Algorithm choice depends on configuration

Output Format

### Verdict
- **verdict**: TRUE_POSITIVE or FALSE_POSITIVE
- **confidence_score**: 1-10
- **risk_level**: LOW, MEDIUM, HIGH, or CRITICAL

### Evidence
- **Location**: file:line
- **Issue Type**: Weak Algorithm / Hardcoded Secret / Key Exposure
- **Details**: Specific weakness found
- **Code**: Relevant code snippet (REDACT actual secrets)

### Impact
What an attacker could do with this:
- [Impact description]

### Recommendations
- [Specific fix with code example]

CWE Mapping

CWE-327: Use of Broken or Risky Cryptographic Algorithm
CWE-798: Use of Hardcoded Credentials
CWE-326: Inadequate Encryption Strength
CWE-321: Use of Hardcoded Cryptographic Key
CWE-328: Reversible One-Way Hash

Safety Rules

ALWAYS redact actual secret values in evidence
Replace with [REDACTED] or similar placeholder
Only analyze code in the repository provided
Do not attempt to use discovered secrets

related-skills.json

同仓库

sast-authentication-testing.md

from "anshumanbh/vulnvibes"

Investigate authentication vulnerabilities in source code including missing authentication, weak authentication, and session management issues. Use when threat model identifies CWE-287 (Improper Authentication), CWE-384 (Session Fixation), CWE-306 (Missing Authentication), or authentication concerns.

2025-12-1817

sast-authorization-testing.md

from "anshumanbh/vulnvibes"

Investigate authorization vulnerabilities in source code including IDOR, privilege escalation, and missing access controls. Use when threat model identifies CWE-639 (IDOR), CWE-862 (Missing Authorization), CWE-863 (Incorrect Authorization), CWE-269 (Privilege Escalation), or access control concerns.

2025-12-1817

sast-browser-security-testing.md

from "anshumanbh/vulnvibes"

Investigate browser security vulnerabilities including CORS misconfiguration, CSRF, clickjacking, and cookie security. Use when threat model identifies CWE-346 (Origin Validation), CWE-942 (Permissive CORS), CWE-352 (CSRF), CWE-1021 (Clickjacking), or browser security concerns.

2025-12-1817

sast-data-exposure-testing.md

from "anshumanbh/vulnvibes"

Investigate data exposure vulnerabilities in source code including PII leakage, sensitive data logging, and information disclosure. Use when threat model identifies CWE-200 (Information Exposure), CWE-532 (Sensitive Data in Logs), CWE-359 (Privacy Violation), or data exposure concerns.

2025-12-1817

sast-deserialization-testing.md

from "anshumanbh/vulnvibes"

Investigate insecure deserialization vulnerabilities that can lead to RCE or data manipulation. Use when threat model identifies CWE-502 (Deserialization of Untrusted Data), CWE-915 (Mass Assignment), or object deserialization concerns.

2025-12-1817

sast-file-security-testing.md

from "anshumanbh/vulnvibes"

Investigate file operation vulnerabilities including unrestricted file upload, path traversal in file operations, and insecure file handling. Use when threat model identifies CWE-434 (Unrestricted Upload), CWE-73 (External Control of File Path), CWE-427 (Uncontrolled Search Path), or file security concerns.

2025-12-1817

package.json

"author": "anshumanbh"

"repository": "anshumanbh/vulnvibes"

打开 GitHub 仓库查看创作者相关仓库

$ install --global

$ download --local

在 Manus 中运行

$ useful --forSOC

信息安全分析师计算机与数学类职业15-1212L4

name	sast-cryptography-testing
description	Investigate cryptographic vulnerabilities in source code including weak algorithms, hardcoded secrets, and improper key management. Use when threat model identifies CWE-327 (Use of Broken Crypto), CWE-798 (Hardcoded Credentials), CWE-326 (Inadequate Encryption), or cryptography concerns.
allowed-tools	Read, Grep, Glob

SAST Cryptography Testing Skill

Purpose

Investigate cryptographic weaknesses by analyzing:

Algorithm selection (weak vs strong)
Key management practices
Hardcoded secrets in code
Encryption implementation correctness

Vulnerability Types Covered

1. Weak Cryptographic Algorithms (CWE-327)

Use of broken or weak cryptographic algorithms.

Weak Algorithms:

# Hash functions - WEAK
hashlib.md5(password)
hashlib.sha1(password)
DES.new(key)

# Better alternatives
hashlib.sha256(data)
bcrypt.hash(password)
AES.new(key, AES.MODE_GCM)

2. Hardcoded Credentials (CWE-798)

Secrets embedded directly in source code.

Dangerous Patterns:

API_KEY = "sk-1234567890abcdef"
password = "admin123"
SECRET_KEY = "my-secret-key"
conn = psycopg2.connect("postgresql://user:password@host/db")

Safe Patterns:

API_KEY = os.environ.get("API_KEY")
password = get_secret("db_password")
SECRET_KEY = config.secret_key

3. Inadequate Encryption Strength (CWE-326)

Insufficient key sizes or weak modes.

Weak Configurations:

# Short key length
RSA.generate(1024)  # Should be 2048+
AES.new(key[:16])   # Only 128-bit

# Weak modes
AES.new(key, AES.MODE_ECB)  # ECB mode is insecure

4. Improper Key Management (CWE-321)

Keys stored or handled insecurely.

Dangerous Patterns:

# Key in version control
private_key = """-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA...
"""

# Key logged or exposed
logger.info(f"Using key: {encryption_key}")

Investigation Methodology

Step 1: Find Crypto Usage

Search for cryptographic operations:

Patterns: hashlib, cryptography, Crypto, pycryptodome
          encrypt, decrypt, hash, sign, verify
          AES, RSA, DES, MD5, SHA

Step 2: Identify Secrets

Look for potential hardcoded secrets:

Patterns: API_KEY, SECRET, PASSWORD, TOKEN
          private_key, secret_key, api_secret
          -----BEGIN, -----END
          sk-, pk-, ghp_, xox

Step 3: Check Key Sources

Verify where keys come from:

Patterns: os.environ, os.getenv
          config., settings.
          vault., secrets.

Step 4: Analyze Algorithm Choices

Verify algorithm strength:

Weak: md5, sha1, des, rc4, ecb
Strong: sha256, sha3, aes-gcm, argon2, bcrypt

Step 5: Cross-Reference with Org

Use github_org_code_search to find:

Common crypto libraries used
Secret management practices
Key rotation patterns

Classification Criteria

TRUE_POSITIVE:

Hardcoded secret in source code
Weak algorithm used for security-critical function
Key exposed in logs or version control

FALSE_POSITIVE:

Secret loaded from environment/config
Weak algorithm used for non-security purpose
Test/example data, not production secrets

UNVALIDATED:

Secret source is external (vault, KMS)
Algorithm choice depends on configuration

Output Format

### Verdict
- **verdict**: TRUE_POSITIVE or FALSE_POSITIVE
- **confidence_score**: 1-10
- **risk_level**: LOW, MEDIUM, HIGH, or CRITICAL

### Evidence
- **Location**: file:line
- **Issue Type**: Weak Algorithm / Hardcoded Secret / Key Exposure
- **Details**: Specific weakness found
- **Code**: Relevant code snippet (REDACT actual secrets)

### Impact
What an attacker could do with this:
- [Impact description]

### Recommendations
- [Specific fix with code example]

CWE Mapping

CWE-327: Use of Broken or Risky Cryptographic Algorithm
CWE-798: Use of Hardcoded Credentials
CWE-326: Inadequate Encryption Strength
CWE-321: Use of Hardcoded Cryptographic Key
CWE-328: Reversible One-Way Hash

Safety Rules

ALWAYS redact actual secret values in evidence
Replace with [REDACTED] or similar placeholder
Only analyze code in the repository provided
Do not attempt to use discovered secrets

sast-cryptography-testing

SAST Cryptography Testing Skill

Purpose

Vulnerability Types Covered

1. Weak Cryptographic Algorithms (CWE-327)

2. Hardcoded Credentials (CWE-798)

3. Inadequate Encryption Strength (CWE-326)

4. Improper Key Management (CWE-321)

Investigation Methodology

Step 1: Find Crypto Usage

Step 2: Identify Secrets

Step 3: Check Key Sources

Step 4: Analyze Algorithm Choices

Step 5: Cross-Reference with Org

Classification Criteria

Output Format

CWE Mapping

Safety Rules

同仓库更多 Skills

同仓库更多 Skills

SAST Cryptography Testing Skill

Purpose

Vulnerability Types Covered

1. Weak Cryptographic Algorithms (CWE-327)

2. Hardcoded Credentials (CWE-798)

3. Inadequate Encryption Strength (CWE-326)

4. Improper Key Management (CWE-321)

Investigation Methodology

Step 1: Find Crypto Usage

Step 2: Identify Secrets

Step 3: Check Key Sources

Step 4: Analyze Algorithm Choices

Step 5: Cross-Reference with Org

Classification Criteria

Output Format

CWE Mapping

Safety Rules