@elizaos/skills 2.0.0-alpha.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (371) hide show
  1. package/README.md +126 -0
  2. package/package.json +53 -0
  3. package/skills/1password/SKILL.md +70 -0
  4. package/skills/1password/references/cli-examples.md +29 -0
  5. package/skills/1password/references/get-started.md +17 -0
  6. package/skills/apple-notes/SKILL.md +77 -0
  7. package/skills/apple-reminders/SKILL.md +96 -0
  8. package/skills/bear-notes/SKILL.md +107 -0
  9. package/skills/bird/SKILL.md +224 -0
  10. package/skills/blogwatcher/SKILL.md +69 -0
  11. package/skills/blucli/SKILL.md +47 -0
  12. package/skills/bluebubbles/SKILL.md +131 -0
  13. package/skills/camsnap/SKILL.md +45 -0
  14. package/skills/canvas/SKILL.md +203 -0
  15. package/skills/clawhub/SKILL.md +77 -0
  16. package/skills/coding-agent/SKILL.md +284 -0
  17. package/skills/discord/SKILL.md +578 -0
  18. package/skills/eightctl/SKILL.md +50 -0
  19. package/skills/food-order/SKILL.md +48 -0
  20. package/skills/gemini/SKILL.md +43 -0
  21. package/skills/gifgrep/SKILL.md +79 -0
  22. package/skills/github/SKILL.md +77 -0
  23. package/skills/gog/SKILL.md +116 -0
  24. package/skills/goplaces/SKILL.md +52 -0
  25. package/skills/healthcheck/SKILL.md +245 -0
  26. package/skills/himalaya/SKILL.md +257 -0
  27. package/skills/himalaya/references/configuration.md +184 -0
  28. package/skills/himalaya/references/message-composition.md +199 -0
  29. package/skills/imsg/SKILL.md +74 -0
  30. package/skills/local-places/SERVER_README.md +101 -0
  31. package/skills/local-places/SKILL.md +102 -0
  32. package/skills/local-places/pyproject.toml +21 -0
  33. package/skills/local-places/src/local_places/__init__.py +2 -0
  34. package/skills/local-places/src/local_places/google_places.py +314 -0
  35. package/skills/local-places/src/local_places/main.py +65 -0
  36. package/skills/local-places/src/local_places/schemas.py +107 -0
  37. package/skills/mcporter/SKILL.md +61 -0
  38. package/skills/model-usage/SKILL.md +69 -0
  39. package/skills/model-usage/references/codexbar-cli.md +33 -0
  40. package/skills/model-usage/scripts/model_usage.py +310 -0
  41. package/skills/nano-banana-pro/SKILL.md +58 -0
  42. package/skills/nano-banana-pro/scripts/generate_image.py +184 -0
  43. package/skills/nano-pdf/SKILL.md +38 -0
  44. package/skills/notion/SKILL.md +172 -0
  45. package/skills/obsidian/SKILL.md +81 -0
  46. package/skills/openai-image-gen/SKILL.md +89 -0
  47. package/skills/openai-image-gen/scripts/gen.py +240 -0
  48. package/skills/openai-whisper/SKILL.md +38 -0
  49. package/skills/openai-whisper-api/SKILL.md +52 -0
  50. package/skills/openai-whisper-api/scripts/transcribe.sh +85 -0
  51. package/skills/openhue/SKILL.md +51 -0
  52. package/skills/oracle/SKILL.md +125 -0
  53. package/skills/ordercli/SKILL.md +78 -0
  54. package/skills/peekaboo/SKILL.md +190 -0
  55. package/skills/sag/SKILL.md +87 -0
  56. package/skills/security-ask-questions-if-underspecified/.claude-plugin/plugin.json +10 -0
  57. package/skills/security-ask-questions-if-underspecified/README.md +24 -0
  58. package/skills/security-ask-questions-if-underspecified/skills/ask-questions-if-underspecified/SKILL.md +85 -0
  59. package/skills/security-audit-context-building/.claude-plugin/plugin.json +10 -0
  60. package/skills/security-audit-context-building/README.md +58 -0
  61. package/skills/security-audit-context-building/commands/audit-context.md +21 -0
  62. package/skills/security-audit-context-building/skills/audit-context-building/SKILL.md +297 -0
  63. package/skills/security-audit-context-building/skills/audit-context-building/resources/COMPLETENESS_CHECKLIST.md +47 -0
  64. package/skills/security-audit-context-building/skills/audit-context-building/resources/FUNCTION_MICRO_ANALYSIS_EXAMPLE.md +355 -0
  65. package/skills/security-audit-context-building/skills/audit-context-building/resources/OUTPUT_REQUIREMENTS.md +71 -0
  66. package/skills/security-building-secure-contracts/.claude-plugin/plugin.json +10 -0
  67. package/skills/security-building-secure-contracts/README.md +241 -0
  68. package/skills/security-building-secure-contracts/skills/algorand-vulnerability-scanner/SKILL.md +284 -0
  69. package/skills/security-building-secure-contracts/skills/algorand-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +405 -0
  70. package/skills/security-building-secure-contracts/skills/audit-prep-assistant/SKILL.md +409 -0
  71. package/skills/security-building-secure-contracts/skills/cairo-vulnerability-scanner/SKILL.md +329 -0
  72. package/skills/security-building-secure-contracts/skills/cairo-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +722 -0
  73. package/skills/security-building-secure-contracts/skills/code-maturity-assessor/SKILL.md +218 -0
  74. package/skills/security-building-secure-contracts/skills/code-maturity-assessor/resources/ASSESSMENT_CRITERIA.md +355 -0
  75. package/skills/security-building-secure-contracts/skills/code-maturity-assessor/resources/EXAMPLE_REPORT.md +248 -0
  76. package/skills/security-building-secure-contracts/skills/code-maturity-assessor/resources/REPORT_FORMAT.md +33 -0
  77. package/skills/security-building-secure-contracts/skills/cosmos-vulnerability-scanner/SKILL.md +334 -0
  78. package/skills/security-building-secure-contracts/skills/cosmos-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +740 -0
  79. package/skills/security-building-secure-contracts/skills/guidelines-advisor/SKILL.md +252 -0
  80. package/skills/security-building-secure-contracts/skills/guidelines-advisor/resources/ASSESSMENT_AREAS.md +329 -0
  81. package/skills/security-building-secure-contracts/skills/guidelines-advisor/resources/DELIVERABLES.md +118 -0
  82. package/skills/security-building-secure-contracts/skills/guidelines-advisor/resources/EXAMPLE_REPORT.md +298 -0
  83. package/skills/security-building-secure-contracts/skills/secure-workflow-guide/SKILL.md +161 -0
  84. package/skills/security-building-secure-contracts/skills/secure-workflow-guide/resources/EXAMPLE_REPORT.md +279 -0
  85. package/skills/security-building-secure-contracts/skills/secure-workflow-guide/resources/WORKFLOW_STEPS.md +132 -0
  86. package/skills/security-building-secure-contracts/skills/solana-vulnerability-scanner/SKILL.md +389 -0
  87. package/skills/security-building-secure-contracts/skills/solana-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +669 -0
  88. package/skills/security-building-secure-contracts/skills/substrate-vulnerability-scanner/SKILL.md +298 -0
  89. package/skills/security-building-secure-contracts/skills/substrate-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +791 -0
  90. package/skills/security-building-secure-contracts/skills/token-integration-analyzer/SKILL.md +362 -0
  91. package/skills/security-building-secure-contracts/skills/token-integration-analyzer/resources/ASSESSMENT_CATEGORIES.md +571 -0
  92. package/skills/security-building-secure-contracts/skills/token-integration-analyzer/resources/REPORT_TEMPLATES.md +141 -0
  93. package/skills/security-building-secure-contracts/skills/ton-vulnerability-scanner/SKILL.md +388 -0
  94. package/skills/security-building-secure-contracts/skills/ton-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +595 -0
  95. package/skills/security-burpsuite-project-parser/.claude-plugin/plugin.json +10 -0
  96. package/skills/security-burpsuite-project-parser/README.md +103 -0
  97. package/skills/security-burpsuite-project-parser/commands/burp-search.md +18 -0
  98. package/skills/security-burpsuite-project-parser/skills/SKILL.md +358 -0
  99. package/skills/security-burpsuite-project-parser/skills/scripts/burp-search.sh +99 -0
  100. package/skills/security-claude-in-chrome-troubleshooting/.claude-plugin/plugin.json +8 -0
  101. package/skills/security-claude-in-chrome-troubleshooting/README.md +31 -0
  102. package/skills/security-claude-in-chrome-troubleshooting/skills/claude-in-chrome-troubleshooting/SKILL.md +251 -0
  103. package/skills/security-constant-time-analysis/.claude-plugin/plugin.json +9 -0
  104. package/skills/security-constant-time-analysis/README.md +381 -0
  105. package/skills/security-constant-time-analysis/commands/ct-check.md +20 -0
  106. package/skills/security-constant-time-analysis/ct_analyzer/__init__.py +49 -0
  107. package/skills/security-constant-time-analysis/ct_analyzer/analyzer.py +1284 -0
  108. package/skills/security-constant-time-analysis/ct_analyzer/script_analyzers.py +3081 -0
  109. package/skills/security-constant-time-analysis/ct_analyzer/tests/__init__.py +1 -0
  110. package/skills/security-constant-time-analysis/ct_analyzer/tests/test_analyzer.py +1397 -0
  111. package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/bn_excerpt.js +205 -0
  112. package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_constant_time.c +181 -0
  113. package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_vulnerable.c +74 -0
  114. package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_vulnerable.go +78 -0
  115. package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_vulnerable.rs +92 -0
  116. package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.cs +174 -0
  117. package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.java +161 -0
  118. package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.kt +181 -0
  119. package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.php +140 -0
  120. package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.py +252 -0
  121. package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.rb +188 -0
  122. package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.swift +199 -0
  123. package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.ts +154 -0
  124. package/skills/security-constant-time-analysis/pyproject.toml +52 -0
  125. package/skills/security-constant-time-analysis/skills/constant-time-analysis/README.md +90 -0
  126. package/skills/security-constant-time-analysis/skills/constant-time-analysis/SKILL.md +219 -0
  127. package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/compiled.md +129 -0
  128. package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/javascript.md +136 -0
  129. package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/kotlin.md +252 -0
  130. package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/php.md +172 -0
  131. package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/python.md +179 -0
  132. package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/ruby.md +198 -0
  133. package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/swift.md +288 -0
  134. package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/vm-compiled.md +354 -0
  135. package/skills/security-constant-time-analysis/uv.lock +8 -0
  136. package/skills/security-culture-index/.claude-plugin/plugin.json +8 -0
  137. package/skills/security-culture-index/README.md +79 -0
  138. package/skills/security-culture-index/skills/interpreting-culture-index/SKILL.md +293 -0
  139. package/skills/security-culture-index/skills/interpreting-culture-index/references/anti-patterns.md +255 -0
  140. package/skills/security-culture-index/skills/interpreting-culture-index/references/conversation-starters.md +408 -0
  141. package/skills/security-culture-index/skills/interpreting-culture-index/references/interview-trait-signals.md +253 -0
  142. package/skills/security-culture-index/skills/interpreting-culture-index/references/motivators.md +158 -0
  143. package/skills/security-culture-index/skills/interpreting-culture-index/references/patterns-archetypes.md +147 -0
  144. package/skills/security-culture-index/skills/interpreting-culture-index/references/primary-traits.md +307 -0
  145. package/skills/security-culture-index/skills/interpreting-culture-index/references/secondary-traits.md +228 -0
  146. package/skills/security-culture-index/skills/interpreting-culture-index/references/team-composition.md +148 -0
  147. package/skills/security-culture-index/skills/interpreting-culture-index/scripts/check_deps.py +108 -0
  148. package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/__init__.py +20 -0
  149. package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/constants.py +122 -0
  150. package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/extract.py +187 -0
  151. package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/models.py +16 -0
  152. package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/opencv_extractor.py +520 -0
  153. package/skills/security-culture-index/skills/interpreting-culture-index/scripts/extract_pdf.py +237 -0
  154. package/skills/security-culture-index/skills/interpreting-culture-index/scripts/pyproject.toml +18 -0
  155. package/skills/security-culture-index/skills/interpreting-culture-index/templates/burnout-report.md +113 -0
  156. package/skills/security-culture-index/skills/interpreting-culture-index/templates/comparison-report.md +103 -0
  157. package/skills/security-culture-index/skills/interpreting-culture-index/templates/hiring-profile.md +127 -0
  158. package/skills/security-culture-index/skills/interpreting-culture-index/templates/individual-report.md +85 -0
  159. package/skills/security-culture-index/skills/interpreting-culture-index/templates/predicted-profile.md +165 -0
  160. package/skills/security-culture-index/skills/interpreting-culture-index/templates/team-report.md +109 -0
  161. package/skills/security-culture-index/skills/interpreting-culture-index/workflows/analyze-team.md +188 -0
  162. package/skills/security-culture-index/skills/interpreting-culture-index/workflows/coach-manager.md +267 -0
  163. package/skills/security-culture-index/skills/interpreting-culture-index/workflows/compare-profiles.md +188 -0
  164. package/skills/security-culture-index/skills/interpreting-culture-index/workflows/define-hiring-profile.md +220 -0
  165. package/skills/security-culture-index/skills/interpreting-culture-index/workflows/detect-burnout.md +206 -0
  166. package/skills/security-culture-index/skills/interpreting-culture-index/workflows/extract-from-pdf.md +121 -0
  167. package/skills/security-culture-index/skills/interpreting-culture-index/workflows/interpret-individual.md +183 -0
  168. package/skills/security-culture-index/skills/interpreting-culture-index/workflows/interview-debrief.md +234 -0
  169. package/skills/security-culture-index/skills/interpreting-culture-index/workflows/mediate-conflict.md +306 -0
  170. package/skills/security-culture-index/skills/interpreting-culture-index/workflows/plan-onboarding.md +322 -0
  171. package/skills/security-culture-index/skills/interpreting-culture-index/workflows/predict-from-interview.md +250 -0
  172. package/skills/security-differential-review/.claude-plugin/plugin.json +10 -0
  173. package/skills/security-differential-review/README.md +109 -0
  174. package/skills/security-differential-review/commands/diff-review.md +21 -0
  175. package/skills/security-differential-review/skills/differential-review/SKILL.md +220 -0
  176. package/skills/security-differential-review/skills/differential-review/adversarial.md +203 -0
  177. package/skills/security-differential-review/skills/differential-review/methodology.md +234 -0
  178. package/skills/security-differential-review/skills/differential-review/patterns.md +300 -0
  179. package/skills/security-differential-review/skills/differential-review/reporting.md +369 -0
  180. package/skills/security-dwarf-expert/.claude-plugin/plugin.json +10 -0
  181. package/skills/security-dwarf-expert/README.md +38 -0
  182. package/skills/security-dwarf-expert/skills/dwarf-expert/SKILL.md +93 -0
  183. package/skills/security-dwarf-expert/skills/dwarf-expert/reference/coding.md +31 -0
  184. package/skills/security-dwarf-expert/skills/dwarf-expert/reference/dwarfdump.md +50 -0
  185. package/skills/security-dwarf-expert/skills/dwarf-expert/reference/readelf.md +8 -0
  186. package/skills/security-entry-point-analyzer/.claude-plugin/plugin.json +10 -0
  187. package/skills/security-entry-point-analyzer/README.md +74 -0
  188. package/skills/security-entry-point-analyzer/commands/entry-points.md +18 -0
  189. package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/SKILL.md +251 -0
  190. package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/cosmwasm.md +182 -0
  191. package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/move-aptos.md +107 -0
  192. package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/move-sui.md +87 -0
  193. package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/solana.md +155 -0
  194. package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/solidity.md +135 -0
  195. package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/ton.md +185 -0
  196. package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/vyper.md +141 -0
  197. package/skills/security-firebase-apk-scanner/.claude-plugin/plugin.json +10 -0
  198. package/skills/security-firebase-apk-scanner/README.md +85 -0
  199. package/skills/security-firebase-apk-scanner/commands/scan-apk.md +18 -0
  200. package/skills/security-firebase-apk-scanner/scanner.sh +1408 -0
  201. package/skills/security-firebase-apk-scanner/skills/firebase-apk-scanner/SKILL.md +197 -0
  202. package/skills/security-firebase-apk-scanner/skills/firebase-apk-scanner/references/vulnerabilities.md +803 -0
  203. package/skills/security-fix-review/.claude-plugin/plugin.json +13 -0
  204. package/skills/security-fix-review/README.md +118 -0
  205. package/skills/security-fix-review/commands/fix-review.md +24 -0
  206. package/skills/security-fix-review/skills/fix-review/SKILL.md +264 -0
  207. package/skills/security-fix-review/skills/fix-review/references/bug-detection.md +408 -0
  208. package/skills/security-fix-review/skills/fix-review/references/finding-matching.md +298 -0
  209. package/skills/security-fix-review/skills/fix-review/references/report-parsing.md +398 -0
  210. package/skills/security-insecure-defaults/.claude-plugin/plugin.json +10 -0
  211. package/skills/security-insecure-defaults/README.md +45 -0
  212. package/skills/security-insecure-defaults/skills/insecure-defaults/SKILL.md +117 -0
  213. package/skills/security-insecure-defaults/skills/insecure-defaults/references/examples.md +409 -0
  214. package/skills/security-modern-python/.claude-plugin/plugin.json +10 -0
  215. package/skills/security-modern-python/README.md +58 -0
  216. package/skills/security-modern-python/hooks/hooks.json +16 -0
  217. package/skills/security-modern-python/hooks/intercept-legacy-python.bats +388 -0
  218. package/skills/security-modern-python/hooks/intercept-legacy-python.sh +109 -0
  219. package/skills/security-modern-python/hooks/test_helper.bash +75 -0
  220. package/skills/security-modern-python/skills/modern-python/SKILL.md +333 -0
  221. package/skills/security-modern-python/skills/modern-python/references/dependabot.md +43 -0
  222. package/skills/security-modern-python/skills/modern-python/references/migration-checklist.md +141 -0
  223. package/skills/security-modern-python/skills/modern-python/references/pep723-scripts.md +259 -0
  224. package/skills/security-modern-python/skills/modern-python/references/prek.md +211 -0
  225. package/skills/security-modern-python/skills/modern-python/references/pyproject.md +254 -0
  226. package/skills/security-modern-python/skills/modern-python/references/ruff-config.md +240 -0
  227. package/skills/security-modern-python/skills/modern-python/references/security-setup.md +255 -0
  228. package/skills/security-modern-python/skills/modern-python/references/testing.md +284 -0
  229. package/skills/security-modern-python/skills/modern-python/references/uv-commands.md +200 -0
  230. package/skills/security-modern-python/skills/modern-python/templates/dependabot.yml +36 -0
  231. package/skills/security-modern-python/skills/modern-python/templates/pre-commit-config.yaml +66 -0
  232. package/skills/security-property-based-testing/.claude-plugin/plugin.json +9 -0
  233. package/skills/security-property-based-testing/README.md +47 -0
  234. package/skills/security-property-based-testing/skills/property-based-testing/README.md +88 -0
  235. package/skills/security-property-based-testing/skills/property-based-testing/SKILL.md +109 -0
  236. package/skills/security-property-based-testing/skills/property-based-testing/references/design.md +191 -0
  237. package/skills/security-property-based-testing/skills/property-based-testing/references/generating.md +200 -0
  238. package/skills/security-property-based-testing/skills/property-based-testing/references/libraries.md +130 -0
  239. package/skills/security-property-based-testing/skills/property-based-testing/references/refactoring.md +181 -0
  240. package/skills/security-property-based-testing/skills/property-based-testing/references/reviewing.md +209 -0
  241. package/skills/security-property-based-testing/skills/property-based-testing/references/strategies.md +124 -0
  242. package/skills/semgrep-rule-creator/.claude-plugin/plugin.json +8 -0
  243. package/skills/semgrep-rule-creator/README.md +43 -0
  244. package/skills/semgrep-rule-creator/commands/semgrep-rule.md +26 -0
  245. package/skills/semgrep-rule-creator/skills/semgrep-rule-creator/SKILL.md +168 -0
  246. package/skills/semgrep-rule-creator/skills/semgrep-rule-creator/references/quick-reference.md +203 -0
  247. package/skills/semgrep-rule-creator/skills/semgrep-rule-creator/references/workflow.md +240 -0
  248. package/skills/semgrep-rule-variant-creator/.claude-plugin/plugin.json +9 -0
  249. package/skills/semgrep-rule-variant-creator/README.md +86 -0
  250. package/skills/semgrep-rule-variant-creator/skills/semgrep-rule-variant-creator/SKILL.md +205 -0
  251. package/skills/semgrep-rule-variant-creator/skills/semgrep-rule-variant-creator/references/applicability-analysis.md +250 -0
  252. package/skills/semgrep-rule-variant-creator/skills/semgrep-rule-variant-creator/references/language-syntax-guide.md +324 -0
  253. package/skills/semgrep-rule-variant-creator/skills/semgrep-rule-variant-creator/references/workflow.md +518 -0
  254. package/skills/session-logs/SKILL.md +115 -0
  255. package/skills/sharp-edges/.claude-plugin/plugin.json +10 -0
  256. package/skills/sharp-edges/README.md +48 -0
  257. package/skills/sharp-edges/skills/sharp-edges/SKILL.md +292 -0
  258. package/skills/sharp-edges/skills/sharp-edges/references/auth-patterns.md +252 -0
  259. package/skills/sharp-edges/skills/sharp-edges/references/case-studies.md +274 -0
  260. package/skills/sharp-edges/skills/sharp-edges/references/config-patterns.md +333 -0
  261. package/skills/sharp-edges/skills/sharp-edges/references/crypto-apis.md +190 -0
  262. package/skills/sharp-edges/skills/sharp-edges/references/lang-c.md +205 -0
  263. package/skills/sharp-edges/skills/sharp-edges/references/lang-csharp.md +285 -0
  264. package/skills/sharp-edges/skills/sharp-edges/references/lang-go.md +270 -0
  265. package/skills/sharp-edges/skills/sharp-edges/references/lang-java.md +263 -0
  266. package/skills/sharp-edges/skills/sharp-edges/references/lang-javascript.md +269 -0
  267. package/skills/sharp-edges/skills/sharp-edges/references/lang-kotlin.md +265 -0
  268. package/skills/sharp-edges/skills/sharp-edges/references/lang-php.md +245 -0
  269. package/skills/sharp-edges/skills/sharp-edges/references/lang-python.md +274 -0
  270. package/skills/sharp-edges/skills/sharp-edges/references/lang-ruby.md +273 -0
  271. package/skills/sharp-edges/skills/sharp-edges/references/lang-rust.md +272 -0
  272. package/skills/sharp-edges/skills/sharp-edges/references/lang-swift.md +287 -0
  273. package/skills/sharp-edges/skills/sharp-edges/references/language-specific.md +588 -0
  274. package/skills/sherpa-onnx-tts/SKILL.md +103 -0
  275. package/skills/sherpa-onnx-tts/bin/sherpa-onnx-tts +178 -0
  276. package/skills/skill-creator/SKILL.md +370 -0
  277. package/skills/skill-creator/license.txt +202 -0
  278. package/skills/skill-creator/scripts/init_skill.py +378 -0
  279. package/skills/skill-creator/scripts/package_skill.py +111 -0
  280. package/skills/skill-creator/scripts/quick_validate.py +101 -0
  281. package/skills/slack/SKILL.md +144 -0
  282. package/skills/songsee/SKILL.md +49 -0
  283. package/skills/sonoscli/SKILL.md +46 -0
  284. package/skills/spec-to-code-compliance/.claude-plugin/plugin.json +10 -0
  285. package/skills/spec-to-code-compliance/README.md +67 -0
  286. package/skills/spec-to-code-compliance/commands/spec-compliance.md +22 -0
  287. package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/SKILL.md +349 -0
  288. package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/resources/COMPLETENESS_CHECKLIST.md +69 -0
  289. package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/resources/IR_EXAMPLES.md +417 -0
  290. package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/resources/OUTPUT_REQUIREMENTS.md +105 -0
  291. package/skills/spotify-player/SKILL.md +64 -0
  292. package/skills/static-analysis/.claude-plugin/plugin.json +8 -0
  293. package/skills/static-analysis/README.md +59 -0
  294. package/skills/static-analysis/skills/codeql/SKILL.md +315 -0
  295. package/skills/static-analysis/skills/sarif-parsing/SKILL.md +479 -0
  296. package/skills/static-analysis/skills/sarif-parsing/resources/jq-queries.md +162 -0
  297. package/skills/static-analysis/skills/sarif-parsing/resources/sarif_helpers.py +331 -0
  298. package/skills/static-analysis/skills/semgrep/SKILL.md +337 -0
  299. package/skills/summarize/SKILL.md +87 -0
  300. package/skills/testing-handbook-skills/.claude-plugin/plugin.json +8 -0
  301. package/skills/testing-handbook-skills/README.md +241 -0
  302. package/skills/testing-handbook-skills/scripts/pyproject.toml +8 -0
  303. package/skills/testing-handbook-skills/scripts/validate-skills.py +657 -0
  304. package/skills/testing-handbook-skills/skills/address-sanitizer/SKILL.md +341 -0
  305. package/skills/testing-handbook-skills/skills/aflpp/SKILL.md +640 -0
  306. package/skills/testing-handbook-skills/skills/atheris/SKILL.md +515 -0
  307. package/skills/testing-handbook-skills/skills/cargo-fuzz/SKILL.md +454 -0
  308. package/skills/testing-handbook-skills/skills/codeql/SKILL.md +549 -0
  309. package/skills/testing-handbook-skills/skills/constant-time-testing/SKILL.md +507 -0
  310. package/skills/testing-handbook-skills/skills/coverage-analysis/SKILL.md +607 -0
  311. package/skills/testing-handbook-skills/skills/fuzzing-dictionary/SKILL.md +297 -0
  312. package/skills/testing-handbook-skills/skills/fuzzing-obstacles/SKILL.md +426 -0
  313. package/skills/testing-handbook-skills/skills/harness-writing/SKILL.md +614 -0
  314. package/skills/testing-handbook-skills/skills/libafl/SKILL.md +625 -0
  315. package/skills/testing-handbook-skills/skills/libfuzzer/SKILL.md +795 -0
  316. package/skills/testing-handbook-skills/skills/ossfuzz/SKILL.md +426 -0
  317. package/skills/testing-handbook-skills/skills/ruzzy/SKILL.md +443 -0
  318. package/skills/testing-handbook-skills/skills/semgrep/SKILL.md +601 -0
  319. package/skills/testing-handbook-skills/skills/testing-handbook-generator/SKILL.md +372 -0
  320. package/skills/testing-handbook-skills/skills/testing-handbook-generator/agent-prompt.md +280 -0
  321. package/skills/testing-handbook-skills/skills/testing-handbook-generator/discovery.md +452 -0
  322. package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/domain-skill.md +504 -0
  323. package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/fuzzer-skill.md +454 -0
  324. package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/technique-skill.md +527 -0
  325. package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/tool-skill.md +366 -0
  326. package/skills/testing-handbook-skills/skills/testing-handbook-generator/testing.md +482 -0
  327. package/skills/testing-handbook-skills/skills/wycheproof/SKILL.md +533 -0
  328. package/skills/things-mac/SKILL.md +86 -0
  329. package/skills/tmux/SKILL.md +135 -0
  330. package/skills/tmux/scripts/find-sessions.sh +112 -0
  331. package/skills/tmux/scripts/wait-for-text.sh +83 -0
  332. package/skills/trello/SKILL.md +95 -0
  333. package/skills/variant-analysis/.claude-plugin/plugin.json +8 -0
  334. package/skills/variant-analysis/README.md +41 -0
  335. package/skills/variant-analysis/commands/variants.md +23 -0
  336. package/skills/variant-analysis/skills/variant-analysis/METHODOLOGY.md +327 -0
  337. package/skills/variant-analysis/skills/variant-analysis/SKILL.md +142 -0
  338. package/skills/variant-analysis/skills/variant-analysis/resources/codeql/cpp.ql +119 -0
  339. package/skills/variant-analysis/skills/variant-analysis/resources/codeql/go.ql +69 -0
  340. package/skills/variant-analysis/skills/variant-analysis/resources/codeql/java.ql +71 -0
  341. package/skills/variant-analysis/skills/variant-analysis/resources/codeql/javascript.ql +63 -0
  342. package/skills/variant-analysis/skills/variant-analysis/resources/codeql/python.ql +80 -0
  343. package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/cpp.yaml +98 -0
  344. package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/go.yaml +63 -0
  345. package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/java.yaml +61 -0
  346. package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/javascript.yaml +60 -0
  347. package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/python.yaml +72 -0
  348. package/skills/variant-analysis/skills/variant-analysis/resources/variant-report-template.md +75 -0
  349. package/skills/video-frames/SKILL.md +46 -0
  350. package/skills/video-frames/scripts/frame.sh +81 -0
  351. package/skills/voice-call/SKILL.md +45 -0
  352. package/skills/wacli/SKILL.md +72 -0
  353. package/skills/weather/SKILL.md +54 -0
  354. package/skills/yara-authoring/.claude-plugin/plugin.json +9 -0
  355. package/skills/yara-authoring/README.md +131 -0
  356. package/skills/yara-authoring/skills/yara-rule-authoring/SKILL.md +645 -0
  357. package/skills/yara-authoring/skills/yara-rule-authoring/examples/MAL_Mac_ProtonRAT_Jan25.yar +99 -0
  358. package/skills/yara-authoring/skills/yara-rule-authoring/examples/MAL_NPM_SupplyChain_Jan25.yar +170 -0
  359. package/skills/yara-authoring/skills/yara-rule-authoring/examples/MAL_Win_Remcos_Jan25.yar +103 -0
  360. package/skills/yara-authoring/skills/yara-rule-authoring/examples/SUSP_CRX_SuspiciousPermissions.yar +134 -0
  361. package/skills/yara-authoring/skills/yara-rule-authoring/examples/SUSP_JS_Obfuscation_Jan25.yar +185 -0
  362. package/skills/yara-authoring/skills/yara-rule-authoring/references/crx-module.md +214 -0
  363. package/skills/yara-authoring/skills/yara-rule-authoring/references/dex-module.md +383 -0
  364. package/skills/yara-authoring/skills/yara-rule-authoring/references/performance.md +333 -0
  365. package/skills/yara-authoring/skills/yara-rule-authoring/references/strings.md +433 -0
  366. package/skills/yara-authoring/skills/yara-rule-authoring/references/style-guide.md +257 -0
  367. package/skills/yara-authoring/skills/yara-rule-authoring/references/testing.md +399 -0
  368. package/skills/yara-authoring/skills/yara-rule-authoring/scripts/atom_analyzer.py +526 -0
  369. package/skills/yara-authoring/skills/yara-rule-authoring/scripts/pyproject.toml +25 -0
  370. package/skills/yara-authoring/skills/yara-rule-authoring/scripts/yara_lint.py +631 -0
  371. package/skills/yara-authoring/skills/yara-rule-authoring/workflows/rule-development.md +493 -0
package/skills/sharp-edges/skills/sharp-edges/references/lang-go.md ADDED
@@ -0,0 +1,270 @@
1
+ # Go Sharp Edges
2
+
3
+ ## Silent Integer Overflow
4
+
5
+ ```go
6
+ // DANGEROUS: Overflow wraps silently (no panic!)
7
+ var x int32 = math.MaxInt32
8
+ x = x + 1 // Wraps to -2147483648, no error
9
+
10
+ // Real vulnerability pattern: size calculations
11
+ func allocate(count int32, size int32) []byte {
12
+ total := count * size // Can overflow!
13
+ return make([]byte, total) // Tiny allocation
14
+ }
15
+ ```
16
+
17
+ **The Problem**: Unlike Rust (debug panics), Go silently wraps. Fuzzing with go-fuzz may never find overflow bugs because they don't crash.
18
+
19
+ **Detection**: Arithmetic on integer types, especially:
20
+ - Multiplication for size calculations
21
+ - Addition near max values
22
+ - Conversions between integer sizes
23
+
24
+ **Mitigation**: Use `math/bits` overflow-checking functions or check manually.
25
+
26
+ ## Slice Aliasing
27
+
28
+ ```go
29
+ // DANGEROUS: Slices share backing array
30
+ original := []int{1, 2, 3, 4, 5}
31
+ slice1 := original[1:3] // {2, 3}
32
+ slice2 := original[2:4] // {3, 4}
33
+
34
+ slice1[1] = 999 // Modifies original AND slice2!
35
+ // slice2 is now {999, 4}
36
+ // original is now {1, 2, 999, 4, 5}
37
+
38
+ // Also dangerous with append:
39
+ a := []int{1, 2, 3}
40
+ b := a[:2] // Shares backing array
41
+ b = append(b, 4) // May or may not reallocate
42
+ // Did this modify a[2]? Depends on capacity!
43
+ ```
44
+
45
+ **Fix**: Use `copy()` to create independent slices when needed.
46
+
47
+ ## Interface Nil Confusion
48
+
49
+ ```go
50
+ // DANGEROUS: Typed nil vs untyped nil
51
+ var p *MyStruct = nil
52
+ var i interface{} = p
53
+
54
+ if i == nil {
55
+ // This is FALSE!
56
+ // i holds (type=*MyStruct, value=nil)
57
+ // An interface is only nil if BOTH type AND value are nil
58
+ }
59
+
60
+ // Common in error handling:
61
+ func getError() error {
62
+ var err *MyError = nil
63
+ return err // Returns non-nil error interface!
64
+ }
65
+
66
+ if err := getError(); err != nil {
67
+ // Always true! Even though underlying pointer is nil
68
+ }
69
+ ```
70
+
71
+ **Fix**: Return explicit `nil`, not typed nil pointers.
72
+
73
+ ```go
74
+ func getError() error {
75
+ if somethingWrong {
76
+ return &MyError{}
77
+ }
78
+ return nil // Untyped nil - interface will be nil
79
+ }
80
+ ```
81
+
82
+ ## JSON Decoder Pitfalls
83
+
84
+ ```go
85
+ // DANGEROUS: Case-insensitive field matching
86
+ type User struct {
87
+ Admin bool `json:"admin"`
88
+ }
89
+
90
+ // Attacker sends: {"ADMIN": true} or {"Admin": true} or {"aDmIn": true}
91
+ // ALL match the "admin" field!
92
+
93
+ // DANGEROUS: Duplicate keys - last one wins
94
+ // {"admin": false, "admin": true} → Admin = true
95
+ // Attacker can hide the true value after a false value
96
+
97
+ // DANGEROUS: Unknown fields silently ignored
98
+ type Config struct {
99
+ Timeout int `json:"timeout"`
100
+ }
101
+ // {"timeout": 30, "timeoutt": 0} - typo silently ignored
102
+ ```
103
+
104
+ **Fix**:
105
+ ```go
106
+ decoder := json.NewDecoder(r.Body)
107
+ decoder.DisallowUnknownFields() // Reject unknown fields
108
+ ```
109
+
110
+ For case-sensitivity, consider alternative JSON libraries or custom UnmarshalJSON.
111
+
112
+ ## Defer in Loops
113
+
114
+ ```go
115
+ // DANGEROUS: All defers execute at function end, not loop iteration
116
+ func processFiles(files []string) error {
117
+ for _, file := range files {
118
+ f, err := os.Open(file)
119
+ if err != nil {
120
+ return err
121
+ }
122
+ defer f.Close() // Files stay open until function returns!
123
+ }
124
+ // All files open simultaneously - can exhaust file descriptors
125
+ return nil
126
+ }
127
+
128
+ // SAFE: Use closure to scope defer
129
+ func processFiles(files []string) error {
130
+ for _, file := range files {
131
+ if err := func() error {
132
+ f, err := os.Open(file)
133
+ if err != nil {
134
+ return err
135
+ }
136
+ defer f.Close() // Closes at end of this closure
137
+ return processFile(f)
138
+ }(); err != nil {
139
+ return err
140
+ }
141
+ }
142
+ return nil
143
+ }
144
+ ```
145
+
146
+ ## Goroutine Leaks
147
+
148
+ ```go
149
+ // DANGEROUS: Goroutine blocked forever
150
+ func search(query string) string {
151
+ ch := make(chan string)
152
+ go func() {
153
+ ch <- slowSearch(query) // What if nobody reads?
154
+ }()
155
+
156
+ select {
157
+ case result := <-ch:
158
+ return result
159
+ case <-time.After(100 * time.Millisecond):
160
+ return "" // Timeout - goroutine blocked forever!
161
+ }
162
+ }
163
+
164
+ // SAFE: Use buffered channel
165
+ func search(query string) string {
166
+ ch := make(chan string, 1) // Buffered - send won't block
167
+ go func() {
168
+ ch <- slowSearch(query)
169
+ }()
170
+
171
+ select {
172
+ case result := <-ch:
173
+ return result
174
+ case <-time.After(100 * time.Millisecond):
175
+ return "" // Goroutine can still send and exit
176
+ }
177
+ }
178
+ ```
179
+
180
+ ## Range Loop Variable Capture
181
+
182
+ ```go
183
+ // DANGEROUS (Go < 1.22): Loop variable captured by reference
184
+ var funcs []func()
185
+ for _, v := range []int{1, 2, 3} {
186
+ funcs = append(funcs, func() { fmt.Println(v) })
187
+ }
188
+ for _, f := range funcs {
189
+ f() // Prints: 3, 3, 3 (all capture same v)
190
+ }
191
+
192
+ // SAFE: Copy the variable
193
+ for _, v := range []int{1, 2, 3} {
194
+ v := v // Shadow with new variable
195
+ funcs = append(funcs, func() { fmt.Println(v) })
196
+ }
197
+ ```
198
+
199
+ **Note**: Fixed in Go 1.22 with GOEXPERIMENT=loopvar (default in Go 1.23+).
200
+
201
+ ## String/Byte Slice Conversion
202
+
203
+ ```go
204
+ // DANGEROUS: String to []byte creates a copy
205
+ s := "large string..."
206
+ b := []byte(s) // Allocates and copies
207
+
208
+ // In hot paths, this can be expensive
209
+ // But unsafe conversion has its own risks:
210
+
211
+ // VERY DANGEROUS: Unsafe conversion allows mutation
212
+ import "unsafe"
213
+ s := "immutable"
214
+ b := *(*[]byte)(unsafe.Pointer(&s))
215
+ b[0] = 'X' // Modifies "immutable" string - UB!
216
+ // Strings are supposed to be immutable
217
+ ```
218
+
219
+ ## Map Concurrent Access
220
+
221
+ ```go
222
+ // DANGEROUS: Maps are not goroutine-safe
223
+ m := make(map[string]int)
224
+
225
+ go func() { m["a"] = 1 }()
226
+ go func() { m["b"] = 2 }()
227
+ // Data race! Can cause runtime panic or corruption
228
+
229
+ // SAFE: Use sync.Map or mutex
230
+ var m sync.Map
231
+ m.Store("a", 1)
232
+ ```
233
+
234
+ ## Error Handling Patterns
235
+
236
+ ```go
237
+ // DANGEROUS: Ignoring errors
238
+ data, _ := ioutil.ReadFile(filename) // Error ignored!
239
+
240
+ // DANGEROUS: Error shadowing
241
+ err := doSomething()
242
+ if err != nil {
243
+ err := handleError(err) // Shadows outer err!
244
+ // Original err handling may be skipped
245
+ }
246
+
247
+ // DANGEROUS: Deferred error ignoring
248
+ defer file.Close() // Close() returns error, ignored!
249
+
250
+ // SAFER:
251
+ defer func() {
252
+ if err := file.Close(); err != nil {
253
+ log.Printf("close failed: %v", err)
254
+ }
255
+ }()
256
+ ```
257
+
258
+ ## Detection Patterns
259
+
260
+ | Pattern | Risk |
261
+ |---------|------|
262
+ | `x * y` with int types | Silent overflow |
263
+ | `slice[a:b]` without copy | Aliasing |
264
+ | `return &ConcreteType{}` as interface | Interface nil confusion |
265
+ | `json.Unmarshal` without DisallowUnknownFields | Field injection |
266
+ | `defer` inside `for` | Resource leak |
267
+ | `go func()` with unbuffered channel | Goroutine leak |
268
+ | Closure in loop capturing loop var | Capture bug (pre-1.22) |
269
+ | `map` access from multiple goroutines | Data race |
270
+ | `_, err :=` instead of `_, err =` | Error shadowing |
package/skills/sharp-edges/skills/sharp-edges/references/lang-java.md ADDED
@@ -0,0 +1,263 @@
1
+ # Java Sharp Edges
2
+
3
+ ## Equality Confusion
4
+
5
+ ```java
6
+ // DANGEROUS: == compares references, not values
7
+ String a = new String("hello");
8
+ String b = new String("hello");
9
+ a == b // FALSE - different objects
10
+
11
+ // String interning makes this confusing:
12
+ String c = "hello";
13
+ String d = "hello";
14
+ c == d // TRUE - string literals are interned
15
+
16
+ // DANGEROUS: Integer caching boundary
17
+ Integer x = 127;
18
+ Integer y = 127;
19
+ x == y // TRUE - cached in range [-128, 127]
20
+
21
+ Integer p = 128;
22
+ Integer q = 128;
23
+ p == q // FALSE - outside cache range!
24
+ ```
25
+
26
+ **Fix**: Always use `.equals()` for object comparison:
27
+ ```java
28
+ a.equals(b) // TRUE
29
+ p.equals(q) // TRUE
30
+ Objects.equals(a, b) // Null-safe
31
+ ```
32
+
33
+ ## Type Erasure
34
+
35
+ ```java
36
+ // DANGEROUS: Generic types erased at runtime
37
+ List<String> strings = new ArrayList<>();
38
+ List<Integer> ints = new ArrayList<>();
39
+
40
+ // At runtime, both are just "ArrayList"
41
+ strings.getClass() == ints.getClass() // TRUE
42
+
43
+ // Can't do runtime type checks:
44
+ if (obj instanceof List<String>) { } // Compile error!
45
+
46
+ // Can cast incorrectly:
47
+ List<?> raw = strings;
48
+ List<Integer> wrongType = (List<Integer>) raw; // No runtime error!
49
+ wrongType.get(0); // ClassCastException here, not at cast
50
+ ```
51
+
52
+ ## Serialization RCE
53
+
54
+ ```java
55
+ // DANGEROUS: Like pickle, deserializes arbitrary objects
56
+ ObjectInputStream ois = new ObjectInputStream(untrustedInput);
57
+ Object obj = ois.readObject();
58
+
59
+ // Even without reading, deserialization triggers:
60
+ // - readObject() methods
61
+ // - readResolve() methods
62
+ // - finalize() (deprecated but still works)
63
+
64
+ // "Gadget chains" in libraries enable RCE:
65
+ // - Commons Collections
66
+ // - Spring Framework
67
+ // - Apache libraries
68
+ // ysoserial tool generates payloads
69
+ ```
70
+
71
+ **Fix**: Use JSON or implement `ObjectInputFilter` (Java 9+):
72
+ ```java
73
+ ObjectInputFilter filter = ObjectInputFilter.Config.createFilter(
74
+ "!*" // Reject all classes
75
+ );
76
+ ```
77
+
78
+ ## Null Pointer Exceptions
79
+
80
+ ```java
81
+ // DANGEROUS: Unboxing null throws NPE
82
+ Integer value = null;
83
+ int primitive = value; // NPE!
84
+
85
+ // DANGEROUS: Chained calls
86
+ String name = user.getProfile().getSettings().getName();
87
+ // NPE if any intermediate is null
88
+
89
+ // Optional doesn't help if misused:
90
+ Optional.of(null); // NPE!
91
+ optional.get(); // NoSuchElementException if empty
92
+ ```
93
+
94
+ **Fix**: Use Optional correctly:
95
+ ```java
96
+ Optional.ofNullable(value);
97
+ optional.orElse(default);
98
+ optional.map(x -> x.transform()).orElse(null);
99
+ ```
100
+
101
+ ## Checked Exception Swallowing
102
+
103
+ ```java
104
+ // DANGEROUS: Empty catch blocks
105
+ try {
106
+ sensitiveOperation();
107
+ } catch (Exception e) {
108
+ // Silently swallowed - failure masked!
109
+ }
110
+
111
+ // DANGEROUS: Catch-and-log without action
112
+ try {
113
+ authenticate();
114
+ } catch (AuthException e) {
115
+ log.error("Auth failed", e);
116
+ // Continues as if authentication succeeded!
117
+ }
118
+
119
+ // DANGEROUS: Over-broad catch
120
+ try {
121
+ doWork();
122
+ } catch (Exception e) { // Catches everything including bugs
123
+ return defaultValue;
124
+ }
125
+ ```
126
+
127
+ ## String Operations
128
+
129
+ ```java
130
+ // DANGEROUS: String concatenation in loops
131
+ String result = "";
132
+ for (String s : items) {
133
+ result += s; // Creates new String each iteration
134
+ }
135
+ // O(n²) time complexity, memory churn
136
+
137
+ // DANGEROUS: split() with regex
138
+ "a.b.c".split("."); // Empty array! "." is regex for "any char"
139
+
140
+ // DANGEROUS: substring() memory (pre-Java 7u6)
141
+ String huge = loadGigabyteFile();
142
+ String small = huge.substring(0, 10);
143
+ // small holds reference to entire huge char[]
144
+ ```
145
+
146
+ **Fix**: Use `StringBuilder`, `Pattern.quote(".")`, modern Java.
147
+
148
+ ## Thread Safety
149
+
150
+ ```java
151
+ // DANGEROUS: SimpleDateFormat is not thread-safe
152
+ static SimpleDateFormat fmt = new SimpleDateFormat("yyyy-MM-dd");
153
+
154
+ // Multiple threads calling fmt.parse() = corrupted results
155
+
156
+ // DANGEROUS: HashMap not thread-safe
157
+ Map<String, String> map = new HashMap<>();
158
+ // Concurrent put() can cause infinite loop!
159
+
160
+ // DANGEROUS: Double-checked locking (broken before Java 5)
161
+ if (instance == null) {
162
+ synchronized (lock) {
163
+ if (instance == null) {
164
+ instance = new Singleton(); // May see partially constructed
165
+ }
166
+ }
167
+ }
168
+ ```
169
+
170
+ **Fix**: Use `DateTimeFormatter` (immutable), `ConcurrentHashMap`, volatile.
171
+
172
+ ## Resource Leaks
173
+
174
+ ```java
175
+ // DANGEROUS: Resources not closed on exception
176
+ FileInputStream fis = new FileInputStream(file);
177
+ // Exception here = fis never closed
178
+ process(fis);
179
+ fis.close();
180
+
181
+ // DANGEROUS: Close in finally can mask exception
182
+ FileInputStream fis = null;
183
+ try {
184
+ fis = new FileInputStream(file);
185
+ throw new RuntimeException("oops");
186
+ } finally {
187
+ fis.close(); // May throw, masking original exception
188
+ }
189
+ ```
190
+
191
+ **Fix**: Use try-with-resources:
192
+ ```java
193
+ try (FileInputStream fis = new FileInputStream(file)) {
194
+ process(fis);
195
+ } // Automatically closed, exceptions properly handled
196
+ ```
197
+
198
+ ## Floating Point
199
+
200
+ ```java
201
+ // DANGEROUS: Float/double for money
202
+ double price = 0.1 + 0.2; // 0.30000000000000004
203
+ if (price == 0.3) { } // FALSE!
204
+
205
+ // DANGEROUS: BigDecimal from double
206
+ new BigDecimal(0.1); // 0.1000000000000000055511151231257827...
207
+ ```
208
+
209
+ **Fix**: Use `BigDecimal` with String constructor:
210
+ ```java
211
+ new BigDecimal("0.1"); // Exactly 0.1
212
+ ```
213
+
214
+ ## Reflection
215
+
216
+ ```java
217
+ // DANGEROUS: Bypasses access controls
218
+ Field field = obj.getClass().getDeclaredField("privateField");
219
+ field.setAccessible(true); // Bypass private!
220
+ field.set(obj, maliciousValue);
221
+
222
+ // Can modify "final" fields (with caveats)
223
+ // Can invoke private methods
224
+ // Can break encapsulation entirely
225
+ ```
226
+
227
+ ## XML Processing (XXE)
228
+
229
+ ```java
230
+ // DANGEROUS: Default XML parsers allow XXE
231
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
232
+ // Default allows: <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
233
+
234
+ // DANGEROUS: Even with DTD disabled
235
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
236
+ // Still vulnerable to billion laughs without entity limits
237
+ ```
238
+
239
+ **Fix**: Disable all external entities:
240
+ ```java
241
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
242
+ factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
243
+ factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
244
+ factory.setXIncludeAware(false);
245
+ factory.setExpandEntityReferences(false);
246
+ ```
247
+
248
+ ## Detection Patterns
249
+
250
+ | Pattern | Risk |
251
+ |---------|------|
252
+ | `==` with objects | Reference comparison |
253
+ | `Integer/Long` comparison with `==` | Cache boundary |
254
+ | `ObjectInputStream.readObject()` | Deserialization RCE |
255
+ | Empty `catch` block | Swallowed exception |
256
+ | `catch (Exception e)` | Over-broad catch |
257
+ | `String +=` in loop | Performance, memory |
258
+ | `split(".")` | Regex interpretation |
259
+ | `static SimpleDateFormat` | Thread safety |
260
+ | `HashMap` shared across threads | Race condition |
261
+ | Resources without try-with-resources | Resource leak |
262
+ | `new BigDecimal(double)` | Precision loss |
263
+ | `DocumentBuilderFactory.newInstance()` | XXE vulnerability |