@elizaos/skills 2.0.0-alpha.43 → 2.0.0-alpha.430

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (154) hide show
  1. package/README.md +4 -0
  2. package/dist/formatter.d.ts.map +1 -1
  3. package/dist/formatter.js +3 -3
  4. package/dist/frontmatter.d.ts +13 -1
  5. package/dist/frontmatter.d.ts.map +1 -1
  6. package/dist/frontmatter.js +51 -1
  7. package/dist/index.d.ts +3 -3
  8. package/dist/index.d.ts.map +1 -1
  9. package/dist/index.js +2 -2
  10. package/dist/loader.d.ts.map +1 -1
  11. package/dist/loader.js +10 -3
  12. package/dist/resolver.d.ts +17 -0
  13. package/dist/resolver.d.ts.map +1 -1
  14. package/dist/resolver.js +54 -1
  15. package/dist/types.d.ts +38 -1
  16. package/dist/types.d.ts.map +1 -1
  17. package/package.json +7 -6
  18. package/skills/apple-reminders/SKILL.md +1 -1
  19. package/skills/blucli/SKILL.md +1 -1
  20. package/skills/bluebubbles/SKILL.md +1 -1
  21. package/skills/camsnap/SKILL.md +1 -1
  22. package/skills/canvas/SKILL.md +6 -6
  23. package/skills/coding-agent/SKILL.md +2 -2
  24. package/skills/eliza-app-development/SKILL.md +62 -0
  25. package/skills/eliza-app-development/references/repo-map.md +70 -0
  26. package/skills/eliza-app-development/references/runtime-and-cloud.md +61 -0
  27. package/skills/eliza-cloud/SKILL.md +39 -0
  28. package/skills/eliza-cloud/references/apps-and-containers.md +73 -0
  29. package/skills/eliza-cloud/references/cloud-backend-and-monetization.md +99 -0
  30. package/skills/elizaos/SKILL.md +27 -0
  31. package/skills/elizaos/references/core-abstractions.md +101 -0
  32. package/skills/elizaos/references/plugin-development.md +74 -0
  33. package/skills/github/SKILL.md +1 -1
  34. package/skills/imsg/SKILL.md +1 -1
  35. package/skills/nano-banana-pro/SKILL.md +1 -1
  36. package/skills/nano-pdf/SKILL.md +1 -1
  37. package/skills/notion/SKILL.md +1 -1
  38. package/skills/obsidian/SKILL.md +1 -1
  39. package/skills/ordercli/SKILL.md +1 -1
  40. package/skills/skill-creator/SKILL.md +1 -1
  41. package/skills/slack/SKILL.md +1 -1
  42. package/skills/spotify-player/SKILL.md +1 -1
  43. package/skills/tmux/SKILL.md +1 -1
  44. package/skills/trello/SKILL.md +1 -1
  45. package/skills/wacli/SKILL.md +1 -1
  46. package/skills/weather/SKILL.md +1 -1
  47. package/skills/yara-authoring/SKILL.md +111 -0
  48. package/skills/bear-notes/SKILL.md +0 -107
  49. package/skills/bird/SKILL.md +0 -224
  50. package/skills/blogwatcher/SKILL.md +0 -69
  51. package/skills/clawhub/SKILL.md +0 -77
  52. package/skills/eightctl/SKILL.md +0 -50
  53. package/skills/food-order/SKILL.md +0 -48
  54. package/skills/gemini/SKILL.md +0 -43
  55. package/skills/gifgrep/SKILL.md +0 -79
  56. package/skills/gog/SKILL.md +0 -116
  57. package/skills/goplaces/SKILL.md +0 -52
  58. package/skills/himalaya/SKILL.md +0 -257
  59. package/skills/himalaya/references/configuration.md +0 -184
  60. package/skills/himalaya/references/message-composition.md +0 -199
  61. package/skills/local-places/SERVER_README.md +0 -101
  62. package/skills/local-places/SKILL.md +0 -102
  63. package/skills/local-places/pyproject.toml +0 -21
  64. package/skills/local-places/src/local_places/__init__.py +0 -2
  65. package/skills/local-places/src/local_places/google_places.py +0 -314
  66. package/skills/local-places/src/local_places/main.py +0 -65
  67. package/skills/local-places/src/local_places/schemas.py +0 -107
  68. package/skills/mcporter/SKILL.md +0 -61
  69. package/skills/model-usage/SKILL.md +0 -69
  70. package/skills/model-usage/references/codexbar-cli.md +0 -33
  71. package/skills/model-usage/scripts/model_usage.py +0 -310
  72. package/skills/openai-image-gen/SKILL.md +0 -89
  73. package/skills/openai-image-gen/scripts/gen.py +0 -240
  74. package/skills/openai-whisper/SKILL.md +0 -38
  75. package/skills/openai-whisper-api/SKILL.md +0 -52
  76. package/skills/openai-whisper-api/scripts/transcribe.sh +0 -85
  77. package/skills/openhue/SKILL.md +0 -51
  78. package/skills/oracle/SKILL.md +0 -125
  79. package/skills/peekaboo/SKILL.md +0 -190
  80. package/skills/sag/SKILL.md +0 -87
  81. package/skills/session-logs/SKILL.md +0 -115
  82. package/skills/sharp-edges/.claude-plugin/plugin.json +0 -10
  83. package/skills/sharp-edges/README.md +0 -48
  84. package/skills/sharp-edges/SKILL.md +0 -292
  85. package/skills/sharp-edges/skills/sharp-edges/SKILL.md +0 -292
  86. package/skills/sharp-edges/skills/sharp-edges/references/auth-patterns.md +0 -252
  87. package/skills/sharp-edges/skills/sharp-edges/references/case-studies.md +0 -274
  88. package/skills/sharp-edges/skills/sharp-edges/references/config-patterns.md +0 -333
  89. package/skills/sharp-edges/skills/sharp-edges/references/crypto-apis.md +0 -190
  90. package/skills/sharp-edges/skills/sharp-edges/references/lang-c.md +0 -205
  91. package/skills/sharp-edges/skills/sharp-edges/references/lang-csharp.md +0 -285
  92. package/skills/sharp-edges/skills/sharp-edges/references/lang-go.md +0 -270
  93. package/skills/sharp-edges/skills/sharp-edges/references/lang-java.md +0 -263
  94. package/skills/sharp-edges/skills/sharp-edges/references/lang-javascript.md +0 -269
  95. package/skills/sharp-edges/skills/sharp-edges/references/lang-kotlin.md +0 -265
  96. package/skills/sharp-edges/skills/sharp-edges/references/lang-php.md +0 -245
  97. package/skills/sharp-edges/skills/sharp-edges/references/lang-python.md +0 -274
  98. package/skills/sharp-edges/skills/sharp-edges/references/lang-ruby.md +0 -273
  99. package/skills/sharp-edges/skills/sharp-edges/references/lang-rust.md +0 -272
  100. package/skills/sharp-edges/skills/sharp-edges/references/lang-swift.md +0 -287
  101. package/skills/sharp-edges/skills/sharp-edges/references/language-specific.md +0 -588
  102. package/skills/sherpa-onnx-tts/SKILL.md +0 -103
  103. package/skills/sherpa-onnx-tts/bin/sherpa-onnx-tts +0 -178
  104. package/skills/songsee/SKILL.md +0 -49
  105. package/skills/sonoscli/SKILL.md +0 -46
  106. package/skills/spec-to-code-compliance/.claude-plugin/plugin.json +0 -10
  107. package/skills/spec-to-code-compliance/README.md +0 -67
  108. package/skills/spec-to-code-compliance/SKILL.md +0 -349
  109. package/skills/spec-to-code-compliance/commands/spec-compliance.md +0 -22
  110. package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/SKILL.md +0 -349
  111. package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/resources/COMPLETENESS_CHECKLIST.md +0 -69
  112. package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/resources/IR_EXAMPLES.md +0 -417
  113. package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/resources/OUTPUT_REQUIREMENTS.md +0 -105
  114. package/skills/static-analysis/.claude-plugin/plugin.json +0 -8
  115. package/skills/static-analysis/README.md +0 -59
  116. package/skills/static-analysis/SKILL.md +0 -91
  117. package/skills/static-analysis/skills/codeql/SKILL.md +0 -315
  118. package/skills/static-analysis/skills/sarif-parsing/SKILL.md +0 -479
  119. package/skills/static-analysis/skills/sarif-parsing/resources/jq-queries.md +0 -162
  120. package/skills/static-analysis/skills/sarif-parsing/resources/sarif_helpers.py +0 -331
  121. package/skills/static-analysis/skills/semgrep/SKILL.md +0 -337
  122. package/skills/summarize/SKILL.md +0 -87
  123. package/skills/testing-handbook-skills/.claude-plugin/plugin.json +0 -8
  124. package/skills/testing-handbook-skills/README.md +0 -241
  125. package/skills/testing-handbook-skills/SKILL.md +0 -104
  126. package/skills/testing-handbook-skills/scripts/pyproject.toml +0 -8
  127. package/skills/testing-handbook-skills/scripts/validate-skills.py +0 -657
  128. package/skills/testing-handbook-skills/skills/address-sanitizer/SKILL.md +0 -341
  129. package/skills/testing-handbook-skills/skills/aflpp/SKILL.md +0 -640
  130. package/skills/testing-handbook-skills/skills/atheris/SKILL.md +0 -515
  131. package/skills/testing-handbook-skills/skills/cargo-fuzz/SKILL.md +0 -454
  132. package/skills/testing-handbook-skills/skills/codeql/SKILL.md +0 -549
  133. package/skills/testing-handbook-skills/skills/constant-time-testing/SKILL.md +0 -507
  134. package/skills/testing-handbook-skills/skills/coverage-analysis/SKILL.md +0 -607
  135. package/skills/testing-handbook-skills/skills/fuzzing-dictionary/SKILL.md +0 -297
  136. package/skills/testing-handbook-skills/skills/fuzzing-obstacles/SKILL.md +0 -426
  137. package/skills/testing-handbook-skills/skills/harness-writing/SKILL.md +0 -614
  138. package/skills/testing-handbook-skills/skills/libafl/SKILL.md +0 -625
  139. package/skills/testing-handbook-skills/skills/libfuzzer/SKILL.md +0 -795
  140. package/skills/testing-handbook-skills/skills/ossfuzz/SKILL.md +0 -426
  141. package/skills/testing-handbook-skills/skills/ruzzy/SKILL.md +0 -443
  142. package/skills/testing-handbook-skills/skills/semgrep/SKILL.md +0 -601
  143. package/skills/testing-handbook-skills/skills/testing-handbook-generator/SKILL.md +0 -372
  144. package/skills/testing-handbook-skills/skills/testing-handbook-generator/agent-prompt.md +0 -280
  145. package/skills/testing-handbook-skills/skills/testing-handbook-generator/discovery.md +0 -452
  146. package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/domain-skill.md +0 -504
  147. package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/fuzzer-skill.md +0 -454
  148. package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/technique-skill.md +0 -527
  149. package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/tool-skill.md +0 -366
  150. package/skills/testing-handbook-skills/skills/testing-handbook-generator/testing.md +0 -482
  151. package/skills/testing-handbook-skills/skills/wycheproof/SKILL.md +0 -533
  152. package/skills/video-frames/SKILL.md +0 -46
  153. package/skills/video-frames/scripts/frame.sh +0 -81
  154. package/skills/voice-call/SKILL.md +0 -45
@@ -1,115 +0,0 @@
1
- ---
2
- name: session-logs
3
- description: Search and analyze your own session logs (older/parent conversations) using jq.
4
- metadata: { "otto": { "emoji": "📜", "requires": { "bins": ["jq", "rg"] } } }
5
- ---
6
-
7
- # session-logs
8
-
9
- Search your complete conversation history stored in session JSONL files. Use this when a user references older/parent conversations or asks what was said before.
10
-
11
- ## Trigger
12
-
13
- Use this skill when the user asks about prior chats, parent conversations, or historical context that isn't in memory files.
14
-
15
- ## Location
16
-
17
- Session logs live at: `~/.otto/agents/<agentId>/sessions/` (use the `agent=<id>` value from the system prompt Runtime line).
18
-
19
- - **`sessions.json`** - Index mapping session keys to session IDs
20
- - **`<session-id>.jsonl`** - Full conversation transcript per session
21
-
22
- ## Structure
23
-
24
- Each `.jsonl` file contains messages with:
25
-
26
- - `type`: "session" (metadata) or "message"
27
- - `timestamp`: ISO timestamp
28
- - `message.role`: "user", "assistant", or "toolResult"
29
- - `message.content[]`: Text, thinking, or tool calls (filter `type=="text"` for human-readable content)
30
- - `message.usage.cost.total`: Cost per response
31
-
32
- ## Common Queries
33
-
34
- ### List all sessions by date and size
35
-
36
- ```bash
37
- for f in ~/.otto/agents/<agentId>/sessions/*.jsonl; do
38
- date=$(head -1 "$f" | jq -r '.timestamp' | cut -dT -f1)
39
- size=$(ls -lh "$f" | awk '{print $5}')
40
- echo "$date $size $(basename $f)"
41
- done | sort -r
42
- ```
43
-
44
- ### Find sessions from a specific day
45
-
46
- ```bash
47
- for f in ~/.otto/agents/<agentId>/sessions/*.jsonl; do
48
- head -1 "$f" | jq -r '.timestamp' | grep -q "2026-01-06" && echo "$f"
49
- done
50
- ```
51
-
52
- ### Extract user messages from a session
53
-
54
- ```bash
55
- jq -r 'select(.message.role == "user") | .message.content[]? | select(.type == "text") | .text' <session>.jsonl
56
- ```
57
-
58
- ### Search for keyword in assistant responses
59
-
60
- ```bash
61
- jq -r 'select(.message.role == "assistant") | .message.content[]? | select(.type == "text") | .text' <session>.jsonl | rg -i "keyword"
62
- ```
63
-
64
- ### Get total cost for a session
65
-
66
- ```bash
67
- jq -s '[.[] | .message.usage.cost.total // 0] | add' <session>.jsonl
68
- ```
69
-
70
- ### Daily cost summary
71
-
72
- ```bash
73
- for f in ~/.otto/agents/<agentId>/sessions/*.jsonl; do
74
- date=$(head -1 "$f" | jq -r '.timestamp' | cut -dT -f1)
75
- cost=$(jq -s '[.[] | .message.usage.cost.total // 0] | add' "$f")
76
- echo "$date $cost"
77
- done | awk '{a[$1]+=$2} END {for(d in a) print d, "$"a[d]}' | sort -r
78
- ```
79
-
80
- ### Count messages and tokens in a session
81
-
82
- ```bash
83
- jq -s '{
84
- messages: length,
85
- user: [.[] | select(.message.role == "user")] | length,
86
- assistant: [.[] | select(.message.role == "assistant")] | length,
87
- first: .[0].timestamp,
88
- last: .[-1].timestamp
89
- }' <session>.jsonl
90
- ```
91
-
92
- ### Tool usage breakdown
93
-
94
- ```bash
95
- jq -r '.message.content[]? | select(.type == "toolCall") | .name' <session>.jsonl | sort | uniq -c | sort -rn
96
- ```
97
-
98
- ### Search across ALL sessions for a phrase
99
-
100
- ```bash
101
- rg -l "phrase" ~/.otto/agents/<agentId>/sessions/*.jsonl
102
- ```
103
-
104
- ## Tips
105
-
106
- - Sessions are append-only JSONL (one JSON object per line)
107
- - Large sessions can be several MB - use `head`/`tail` for sampling
108
- - The `sessions.json` index maps chat providers (discord, whatsapp, etc.) to session IDs
109
- - Deleted sessions have `.deleted.<timestamp>` suffix
110
-
111
- ## Fast text-only hint (low noise)
112
-
113
- ```bash
114
- jq -r 'select(.type=="message") | .message.content[]? | select(.type=="text") | .text' ~/.otto/agents/<agentId>/sessions/<id>.jsonl | rg 'keyword'
115
- ```
@@ -1,10 +0,0 @@
1
- {
2
- "name": "sharp-edges",
3
- "version": "1.0.0",
4
- "description": "Identify error-prone APIs, dangerous configurations, and footgun designs that enable security mistakes",
5
- "author": {
6
- "name": "Trail of Bits",
7
- "email": "opensource@trailofbits.com",
8
- "url": "https://github.com/trailofbits"
9
- }
10
- }
@@ -1,48 +0,0 @@
1
- # Sharp Edges
2
-
3
- Identifies error-prone APIs, dangerous configurations, and footgun designs that enable security mistakes through developer confusion, laziness, or malice.
4
-
5
- ## When to Use
6
-
7
- - Reviewing API designs for security-relevant interfaces
8
- - Auditing configuration schemas that expose security choices
9
- - Evaluating cryptographic library ergonomics
10
- - Assessing authentication/authorization APIs
11
- - Any code review where developers make security-critical decisions
12
-
13
- ## What It Does
14
-
15
- Analyzes code and designs through the lens of three adversaries:
16
-
17
- 1. **The Scoundrel**: Can a malicious developer or attacker disable security via configuration?
18
- 2. **The Lazy Developer**: Will copy-pasting the first example lead to insecure code?
19
- 3. **The Confused Developer**: Can parameters be swapped without type errors?
20
-
21
- ## Core Principle
22
-
23
- **The pit of success**: Secure usage should be the path of least resistance. If developers must read documentation carefully or remember special rules to avoid vulnerabilities, the API has failed.
24
-
25
- ## Installation
26
-
27
- ```
28
- /plugin install trailofbits/skills/plugins/sharp-edges
29
- ```
30
-
31
- ## Sharp Edge Categories
32
-
33
- The skill identifies six categories of misuse-prone designs:
34
-
35
- | Category | Example |
36
- |----------|---------|
37
- | Algorithm Selection | JWT `alg: none` attack; PHP `hash("crc32", $password)` |
38
- | Dangerous Defaults | `session_timeout: 0` meaning infinite; empty password accepted |
39
- | Primitive vs. Semantic APIs | `encrypt(msg, bytes, bytes)` where key/nonce can be swapped |
40
- | Configuration Cliffs | `verify_ssl: false` disables all certificate validation |
41
- | Silent Failures | Verification returns `False` instead of throwing; ignored return values |
42
- | Stringly-Typed Security | Permissions as comma-separated strings; SQL from concatenation |
43
-
44
- ## Related Skills
45
-
46
- - [constant-time-analysis](../constant-time-analysis) - Detect timing side-channels in cryptographic code
47
- - [differential-review](../differential-review) - Security-focused code change review
48
- - [audit-context-building](../audit-context-building) - Deep architectural analysis before auditing
@@ -1,292 +0,0 @@
1
- ---
2
- name: sharp-edges
3
- description: "Identifies error-prone APIs, dangerous configurations, and footgun designs that enable security mistakes. Use when reviewing API designs, configuration schemas, cryptographic library ergonomics, or evaluating whether code follows 'secure by default' and 'pit of success' principles. Triggers: footgun, misuse-resistant, secure defaults, API usability, dangerous configuration."
4
- allowed-tools:
5
- - Read
6
- - Grep
7
- - Glob
8
- ---
9
-
10
- # Sharp Edges Analysis
11
-
12
- Evaluates whether APIs, configurations, and interfaces are resistant to developer misuse. Identifies designs where the "easy path" leads to insecurity.
13
-
14
- ## When to Use
15
-
16
- - Reviewing API or library design decisions
17
- - Auditing configuration schemas for dangerous options
18
- - Evaluating cryptographic API ergonomics
19
- - Assessing authentication/authorization interfaces
20
- - Reviewing any code that exposes security-relevant choices to developers
21
-
22
- ## When NOT to Use
23
-
24
- - Implementation bugs (use standard code review)
25
- - Business logic flaws (use domain-specific analysis)
26
- - Performance optimization (different concern)
27
-
28
- ## Core Principle
29
-
30
- **The pit of success**: Secure usage should be the path of least resistance. If developers must understand cryptography, read documentation carefully, or remember special rules to avoid vulnerabilities, the API has failed.
31
-
32
- ## Rationalizations to Reject
33
-
34
- | Rationalization | Why It's Wrong | Required Action |
35
- |-----------------|----------------|-----------------|
36
- | "It's documented" | Developers don't read docs under deadline pressure | Make the secure choice the default or only option |
37
- | "Advanced users need flexibility" | Flexibility creates footguns; most "advanced" usage is copy-paste | Provide safe high-level APIs; hide primitives |
38
- | "It's the developer's responsibility" | Blame-shifting; you designed the footgun | Remove the footgun or make it impossible to misuse |
39
- | "Nobody would actually do that" | Developers do everything imaginable under pressure | Assume maximum developer confusion |
40
- | "It's just a configuration option" | Config is code; wrong configs ship to production | Validate configs; reject dangerous combinations |
41
- | "We need backwards compatibility" | Insecure defaults can't be grandfather-claused | Deprecate loudly; force migration |
42
-
43
- ## Sharp Edge Categories
44
-
45
- ### 1. Algorithm/Mode Selection Footguns
46
-
47
- APIs that let developers choose algorithms invite choosing wrong ones.
48
-
49
- **The JWT Pattern** (canonical example):
50
- - Header specifies algorithm: attacker can set `"alg": "none"` to bypass signatures
51
- - Algorithm confusion: RSA public key used as HMAC secret when switching RS256→HS256
52
- - Root cause: Letting untrusted input control security-critical decisions
53
-
54
- **Detection patterns:**
55
- - Function parameters like `algorithm`, `mode`, `cipher`, `hash_type`
56
- - Enums/strings selecting cryptographic primitives
57
- - Configuration options for security mechanisms
58
-
59
- **Example - PHP password_hash allowing weak algorithms:**
60
- ```php
61
- // DANGEROUS: allows crc32, md5, sha1
62
- password_hash($password, PASSWORD_DEFAULT); // Good - no choice
63
- hash($algorithm, $password); // BAD: accepts "crc32"
64
- ```
65
-
66
- ### 2. Dangerous Defaults
67
-
68
- Defaults that are insecure, or zero/empty values that disable security.
69
-
70
- **The OTP Lifetime Pattern:**
71
- ```python
72
- # What happens when lifetime=0?
73
- def verify_otp(code, lifetime=300): # 300 seconds default
74
- if lifetime == 0:
75
- return True # OOPS: 0 means "accept all"?
76
- # Or does it mean "expired immediately"?
77
- ```
78
-
79
- **Detection patterns:**
80
- - Timeouts/lifetimes that accept 0 (infinite? immediate expiry?)
81
- - Empty strings that bypass checks
82
- - Null values that skip validation
83
- - Boolean defaults that disable security features
84
- - Negative values with undefined semantics
85
-
86
- **Questions to ask:**
87
- - What happens with `timeout=0`? `max_attempts=0`? `key=""`?
88
- - Is the default the most secure option?
89
- - Can any default value disable security entirely?
90
-
91
- ### 3. Primitive vs. Semantic APIs
92
-
93
- APIs that expose raw bytes instead of meaningful types invite type confusion.
94
-
95
- **The Libsodium vs. Halite Pattern:**
96
-
97
- ```php
98
- // Libsodium (primitives): bytes are bytes
99
- sodium_crypto_box($message, $nonce, $keypair);
100
- // Easy to: swap nonce/keypair, reuse nonces, use wrong key type
101
-
102
- // Halite (semantic): types enforce correct usage
103
- Crypto::seal($message, new EncryptionPublicKey($key));
104
- // Wrong key type = type error, not silent failure
105
- ```
106
-
107
- **Detection patterns:**
108
- - Functions taking `bytes`, `string`, `[]byte` for distinct security concepts
109
- - Parameters that could be swapped without type errors
110
- - Same type used for keys, nonces, ciphertexts, signatures
111
-
112
- **The comparison footgun:**
113
- ```go
114
- // Timing-safe comparison looks identical to unsafe
115
- if hmac == expected { } // BAD: timing attack
116
- if hmac.Equal(mac, expected) { } // Good: constant-time
117
- // Same types, different security properties
118
- ```
119
-
120
- ### 4. Configuration Cliffs
121
-
122
- One wrong setting creates catastrophic failure, with no warning.
123
-
124
- **Detection patterns:**
125
- - Boolean flags that disable security entirely
126
- - String configs that aren't validated
127
- - Combinations of settings that interact dangerously
128
- - Environment variables that override security settings
129
- - Constructor parameters with sensible defaults but no validation (callers can override with insecure values)
130
-
131
- **Examples:**
132
- ```yaml
133
- # One typo = disaster
134
- verify_ssl: fasle # Typo silently accepted as truthy?
135
-
136
- # Magic values
137
- session_timeout: -1 # Does this mean "never expire"?
138
-
139
- # Dangerous combinations accepted silently
140
- auth_required: true
141
- bypass_auth_for_health_checks: true
142
- health_check_path: "/" # Oops
143
- ```
144
-
145
- ```php
146
- // Sensible default doesn't protect against bad callers
147
- public function __construct(
148
- public string $hashAlgo = 'sha256', // Good default...
149
- public int $otpLifetime = 120, // ...but accepts md5, 0, etc.
150
- ) {}
151
- ```
152
-
153
- See [config-patterns.md](skills/sharp-edges/references/config-patterns.md#unvalidated-constructor-parameters) for detailed patterns.
154
-
155
- ### 5. Silent Failures
156
-
157
- Errors that don't surface, or success that masks failure.
158
-
159
- **Detection patterns:**
160
- - Functions returning booleans instead of throwing on security failures
161
- - Empty catch blocks around security operations
162
- - Default values substituted on parse errors
163
- - Verification functions that "succeed" on malformed input
164
-
165
- **Examples:**
166
- ```python
167
- # Silent bypass
168
- def verify_signature(sig, data, key):
169
- if not key:
170
- return True # No key = skip verification?!
171
-
172
- # Return value ignored
173
- signature.verify(data, sig) # Throws on failure
174
- crypto.verify(data, sig) # Returns False on failure
175
- # Developer forgets to check return value
176
- ```
177
-
178
- ### 6. Stringly-Typed Security
179
-
180
- Security-critical values as plain strings enable injection and confusion.
181
-
182
- **Detection patterns:**
183
- - SQL/commands built from string concatenation
184
- - Permissions as comma-separated strings
185
- - Roles/scopes as arbitrary strings instead of enums
186
- - URLs constructed by joining strings
187
-
188
- **The permission accumulation footgun:**
189
- ```python
190
- permissions = "read,write"
191
- permissions += ",admin" # Too easy to escalate
192
-
193
- # vs. type-safe
194
- permissions = {Permission.READ, Permission.WRITE}
195
- permissions.add(Permission.ADMIN) # At least it's explicit
196
- ```
197
-
198
- ## Analysis Workflow
199
-
200
- ### Phase 1: Surface Identification
201
-
202
- 1. **Map security-relevant APIs**: authentication, authorization, cryptography, session management, input validation
203
- 2. **Identify developer choice points**: Where can developers select algorithms, configure timeouts, choose modes?
204
- 3. **Find configuration schemas**: Environment variables, config files, constructor parameters
205
-
206
- ### Phase 2: Edge Case Probing
207
-
208
- For each choice point, ask:
209
- - **Zero/empty/null**: What happens with `0`, `""`, `null`, `[]`?
210
- - **Negative values**: What does `-1` mean? Infinite? Error?
211
- - **Type confusion**: Can different security concepts be swapped?
212
- - **Default values**: Is the default secure? Is it documented?
213
- - **Error paths**: What happens on invalid input? Silent acceptance?
214
-
215
- ### Phase 3: Threat Modeling
216
-
217
- Consider three adversaries:
218
-
219
- 1. **The Scoundrel**: Actively malicious developer or attacker controlling config
220
- - Can they disable security via configuration?
221
- - Can they downgrade algorithms?
222
- - Can they inject malicious values?
223
-
224
- 2. **The Lazy Developer**: Copy-pastes examples, skips documentation
225
- - Will the first example they find be secure?
226
- - Is the path of least resistance secure?
227
- - Do error messages guide toward secure usage?
228
-
229
- 3. **The Confused Developer**: Misunderstands the API
230
- - Can they swap parameters without type errors?
231
- - Can they use the wrong key/algorithm/mode by accident?
232
- - Are failure modes obvious or silent?
233
-
234
- ### Phase 4: Validate Findings
235
-
236
- For each identified sharp edge:
237
-
238
- 1. **Reproduce the misuse**: Write minimal code demonstrating the footgun
239
- 2. **Verify exploitability**: Does the misuse create a real vulnerability?
240
- 3. **Check documentation**: Is the danger documented? (Documentation doesn't excuse bad design, but affects severity)
241
- 4. **Test mitigations**: Can the API be used safely with reasonable effort?
242
-
243
- If a finding seems questionable, return to Phase 2 and probe more edge cases.
244
-
245
- ## Severity Classification
246
-
247
- | Severity | Criteria | Examples |
248
- |----------|----------|----------|
249
- | Critical | Default or obvious usage is insecure | `verify: false` default; empty password allowed |
250
- | High | Easy misconfiguration breaks security | Algorithm parameter accepts "none" |
251
- | Medium | Unusual but possible misconfiguration | Negative timeout has unexpected meaning |
252
- | Low | Requires deliberate misuse | Obscure parameter combination |
253
-
254
- ## References
255
-
256
- **By category:**
257
-
258
- - **Cryptographic APIs**: See [references/crypto-apis.md](skills/sharp-edges/references/crypto-apis.md)
259
- - **Configuration Patterns**: See [references/config-patterns.md](skills/sharp-edges/references/config-patterns.md)
260
- - **Authentication/Session**: See [references/auth-patterns.md](skills/sharp-edges/references/auth-patterns.md)
261
- - **Real-World Case Studies**: See [references/case-studies.md](skills/sharp-edges/references/case-studies.md) (OpenSSL, GMP, etc.)
262
-
263
- **By language** (general footguns, not crypto-specific):
264
-
265
- | Language | Guide |
266
- |----------|-------|
267
- | C/C++ | [references/lang-c.md](skills/sharp-edges/references/lang-c.md) |
268
- | Go | [references/lang-go.md](skills/sharp-edges/references/lang-go.md) |
269
- | Rust | [references/lang-rust.md](skills/sharp-edges/references/lang-rust.md) |
270
- | Swift | [references/lang-swift.md](skills/sharp-edges/references/lang-swift.md) |
271
- | Java | [references/lang-java.md](skills/sharp-edges/references/lang-java.md) |
272
- | Kotlin | [references/lang-kotlin.md](skills/sharp-edges/references/lang-kotlin.md) |
273
- | C# | [references/lang-csharp.md](skills/sharp-edges/references/lang-csharp.md) |
274
- | PHP | [references/lang-php.md](skills/sharp-edges/references/lang-php.md) |
275
- | JavaScript/TypeScript | [references/lang-javascript.md](skills/sharp-edges/references/lang-javascript.md) |
276
- | Python | [references/lang-python.md](skills/sharp-edges/references/lang-python.md) |
277
- | Ruby | [references/lang-ruby.md](skills/sharp-edges/references/lang-ruby.md) |
278
-
279
- See also [references/language-specific.md](skills/sharp-edges/references/language-specific.md) for a combined quick reference.
280
-
281
- ## Quality Checklist
282
-
283
- Before concluding analysis:
284
-
285
- - [ ] Probed all zero/empty/null edge cases
286
- - [ ] Verified defaults are secure
287
- - [ ] Checked for algorithm/mode selection footguns
288
- - [ ] Tested type confusion between security concepts
289
- - [ ] Considered all three adversary types
290
- - [ ] Verified error paths don't bypass security
291
- - [ ] Checked configuration validation
292
- - [ ] Constructor params validated (not just defaulted) - see [config-patterns.md](skills/sharp-edges/references/config-patterns.md#unvalidated-constructor-parameters)