insecure-defaults
Detect insecure default configurations like hardcoded secrets, default credentials, and weak crypto
Developer Setup
Setup & Installation
npx skills add https://github.com/trailofbits/skills --skill insecure-defaultsnpx skills add https://github.com/trailofbits/skills --skill insecure-defaultsOverview
What This Skill Does
Detects fail-open security vulnerabilities where applications run insecurely due to missing or weak configuration. Focuses on distinguishing exploitable defaults (app runs with a weak secret) from fail-secure patterns (app crashes without proper config). Covers hardcoded credentials, weak crypto, permissive access controls, and debug features left enabled.
Application
When to use this Skill
- Configuring integration settings for custom agent workflows.
- Optimizing query execution and response latency in production.
- Developing clean, standard-compliant implementations for enterprise services.
- Troubleshooting connection timeouts and authentication handshakes.
- Monitoring API rate limits and execution pipelines programmatically.
Documentation
Show Skills.md file
Insecure Defaults Detection
Security skill for detecting insecure default configurations that create vulnerabilities when applications run with missing or incomplete configuration.
Overview
The insecure-defaults skill helps identify security vulnerabilities caused by:
- Hardcoded fallback secrets (JWT keys, API keys, session secrets)
- Default credentials (admin/admin, root/password)
- Weak cryptographic defaults (MD5, DES, ECB mode)
- Permissive access control (CORS *, public by default)
- Missing security configuration that causes fail-open behavior
Critical Distinction: This skill emphasizes fail-secure vs. fail-open behavior. Applications that crash without proper configuration are safe; applications that run with insecure defaults are vulnerable.
Installation
cd parent-folder/skills
/plugin install ./plugins/insecure-defaults
Or from the plugin marketplace:
/plugin install insecure-defaults
Recommendations
Explore other random skills
read-file
Read any data file (CSV, JSON, Parquet, Avro, Excel, spatial) locally or from remote storage
duckdb-docs
Search DuckDB and DuckLake documentation using full-text search over HTTPS
read-memories
Search past Claude Code session logs to recover context from previous conversations