Can it detect weak encryption algorithms?

Yes, it scans for deprecated algorithms like MD5, SHA1, or RC4 when they are used in security contexts such as password hashing or token generation.

What are fail-open insecure defaults?

Fail-open defaults occur when an application continues to run using a weak or hardcoded setting if a required configuration is missing, rather than crashing safely (fail-secure).

How does it verify if a vulnerability is exploitable?

It traces the code path to confirm if the insecure default is used at runtime and checks deployment configurations to see if production variables are missing.

Does this skill flag test files or documentation?

No, the skill is specifically designed to ignore test fixtures, example files, and documentation to minimize noise and focus on code that reaches production.

Insecure Defaults Detection

Name: Insecure Defaults Detection
Author: trailofbits

bytrailofbits

•

2,924

•

Security & Testing

Identifies critical fail-open vulnerabilities where applications run with insecure default configurations instead of crashing safely.

This skill specializes in auditing codebases for 'fail-open' security flaws, specifically targeting instances where an application defaults to an insecure state—such as a hardcoded secret, weak authentication, or permissive CORS—when environment variables are missing. It empowers developers and security researchers to trace execution paths, distinguish between exploitable production defaults and safe development fixtures, and generate evidence-based reports on potential exploitation risks for hardcoded credentials, weak cryptography, and permissive access controls.

Key Features

01Distinguishes between critical production vulnerabilities and safe test fixtures

02Provides structured reporting with exploitation impact and code evidence

03Identifies weak cryptographic algorithms in security-sensitive contexts

042,924 GitHub stars

05Detects hardcoded secrets and insecure environment variable fallbacks

06Analyzes IaC and Docker configurations for permissive access settings

Use Cases

01Reviewing Infrastructure as Code and deployment templates for security gaps

02Conducting deep security audits of production applications and API services

03Automating pre-deployment checks for hardcoded credentials and weak defaults

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add trailofbits/skills insecure-defaults

For use in Claude.ai and ChatGPT

Download Skill