Insecure Defaults Detection
Detect insecure default configurations, hardcoded credentials, fail-open security patterns, and dangerous default values in application code and configuration files. Complements SKL-0015 (Security Audit) by focusing on configuration-level vulnerabilities that dependency scanners miss.
Best use case
Insecure Defaults Detection is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Detect insecure default configurations, hardcoded credentials, fail-open security patterns, and dangerous default values in application code and configuration files. Complements SKL-0015 (Security Audit) by focusing on configuration-level vulnerabilities that dependency scanners miss.
Teams using Insecure Defaults Detection should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/insecure-defaults/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How Insecure Defaults Detection Compares
| Feature / Agent | Insecure Defaults Detection | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Detect insecure default configurations, hardcoded credentials, fail-open security patterns, and dangerous default values in application code and configuration files. Complements SKL-0015 (Security Audit) by focusing on configuration-level vulnerabilities that dependency scanners miss.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Skill: Insecure Defaults Detection
## Metadata
| Field | Value |
|-------|-------|
| **Skill ID** | SKL-0029 |
| **Version** | 1.0 |
| **Owner** | reviewer |
| **Inputs** | Source files, config files, .env.example |
| **Outputs** | Insecure defaults report, STATE.md updated |
| **Triggers** | `INSECURE_DEFAULTS_CHECK_REQUESTED` |
---
## Purpose
Scan application code and configuration files for insecure default values, hardcoded credentials, fail-open security patterns, and dangerous configurations that would survive into production. This catches the class of vulnerabilities that dependency scanners and OWASP checklists miss — the ones baked into *your* code, not your dependencies.
Inspired by [Trail of Bits' insecure-defaults skill](https://github.com/trailofbits/skills).
> **See also:** For full OWASP codebase audit, see SKL-0015 (Security Audit).
---
## Procedure
### Step 1 — Identify Configuration Surface
Scan the project for configuration files and patterns:
- `.env`, `.env.example`, `.env.local`, `.env.production`
- `config/`, `settings/`, any `*config*` files
- Docker Compose files, Dockerfiles
- CI/CD configs (`.github/workflows/`, `Jenkinsfile`, etc.)
- Database connection strings
- API endpoint configurations
- Authentication and session settings
- CORS and CSP headers
### Step 2 — Check for Hardcoded Secrets
Search for patterns that indicate hardcoded credentials:
| Pattern | Severity | Example |
|---------|----------|---------|
| Hardcoded API keys | CRITICAL | `apiKey = "sk-..."` |
| Hardcoded passwords | CRITICAL | `password = "admin123"` |
| Default JWT secrets | CRITICAL | `JWT_SECRET = "secret"` or `"changeme"` |
| Hardcoded database credentials | HIGH | `DB_PASSWORD = "postgres"` |
| Commented-out credentials | MEDIUM | `// password: "test123"` |
| Placeholder secrets in non-example files | HIGH | `TOKEN = "xxx"` in production configs |
### Step 3 — Check for Fail-Open Patterns
Identify code paths where security fails to the permissive state:
| Pattern | Severity | What to look for |
|---------|----------|-----------------|
| Auth bypass on error | CRITICAL | `catch { return true }` in auth middleware |
| CORS wildcard | HIGH | `Access-Control-Allow-Origin: *` in production |
| Debug mode defaults | HIGH | `DEBUG = true` without environment override |
| Disabled CSRF | HIGH | CSRF protection commented out or defaulting to off |
| Permissive CSP | MEDIUM | `Content-Security-Policy: default-src *` |
| Missing rate limiting | MEDIUM | Auth endpoints without rate limits |
| Insecure cookie defaults | MEDIUM | Missing `Secure`, `HttpOnly`, or `SameSite` flags |
### Step 4 — Check for Dangerous Defaults
| Pattern | Severity | What to look for |
|---------|----------|-----------------|
| Default admin accounts | CRITICAL | User seed data with admin/admin or similar |
| Open registration | HIGH | Registration enabled with no verification |
| Verbose error messages | MEDIUM | Stack traces or SQL errors exposed to client |
| Default ports on sensitive services | LOW | Database/cache on default ports without auth |
| Missing HTTPS redirect | MEDIUM | HTTP allowed without redirect in production config |
| Auto-approve patterns | HIGH | Code that auto-approves without validation |
### Step 5 — Generate Report
For each finding, document:
- **File and line number**
- **Severity** (CRITICAL / HIGH / MEDIUM / LOW)
- **What was found** (specific code or config)
- **Why it's dangerous** (attack scenario)
- **Recommended fix** (concrete code change)
### Step 6 — Update STATE.md
Record findings summary and severity counts.
---
## Constraints
- Read-only analysis — does not modify source files
- Findings are advisory unless severity is CRITICAL
- Does not replace SKL-0015 (Security Audit) — complements it with config-level focus
- Does not scan dependencies (that's SKL-0015's job)
- Never prints actual secret values in reports — redact to first/last 2 characters
---
## Primary Agent
reviewer
---
## Definition of Done
- [ ] All configuration files identified and scanned
- [ ] Hardcoded secrets check completed
- [ ] Fail-open patterns check completed
- [ ] Dangerous defaults check completed
- [ ] Each finding has file, line, severity, explanation, and fix
- [ ] No actual secrets exposed in the report
- [ ] STATE.md updated with findings summary
## Output Contract
| Field | Value |
|-------|-------|
| **Artifacts** | Insecure defaults report (findings with severity ratings and recommended fixes) |
| **State Update** | `.claude/project/STATE.md` — mark task complete, log findings summary and severity counts |
| **Handoff Event** | `TASK_COMPLETED` (insecure defaults check complete) |Related Skills
Supply Chain Audit
Audit the dependency supply chain for security risks beyond what `npm audit` or `pip audit` catches. Analyzes dependency health, maintainer trust signals, typosquatting risk, and transitive dependency exposure.
SEO Audit
Audit web pages for search engine optimization: meta tags, heading hierarchy, structured data, image optimization, mobile-friendliness, and content quality. Complements SKL-0013 (Growth & Distribution) by validating what was built.
Pitch Deck
Create a structured pitch deck outline for investors, stakeholders, or partners. Covers problem, solution, market, traction, team, and ask. Natural output after PRD + Problem Stress Test validation.
Launch Checklist
Pre-launch validation covering everything deployment (SKL-0021) doesn't: analytics, error tracking, social meta, legal pages, email setup, DNS, SSL, and go-live readiness. Produces a launch readiness report with pass/fail checklist. Use this skill before going live on any project.
Differential Security Review
Security-focused review of code changes using git diff analysis. Identifies security implications of recent modifications — new attack surfaces, removed protections, changed auth logic, and risky refactors. Complements SKL-0016 (Code Review) with a security lens on diffs.
Copywriting
Write conversion-focused copy using proven frameworks (AIDA, PAS, BAB). Produces headlines, CTAs, landing page copy, email sequences, and micro-copy. Ensures copy matches brand voice and target audience.
Competitor Analysis
Structured competitor research: features, pricing, positioning, gaps, and differentiation strategy. Feeds into PRD Writing (SKL-0004) and Problem Stress Test (SKL-0027) with better market context.
UX Design
Design user experiences including wireframes, flows, and interaction patterns. Use this skill when UX design work is requested, including onboarding flows and interface layouts.
User Acceptance Testing
Structured QA testing with four modes: diff-aware (auto-scoped to branch changes), full (systematic exploration), quick (30-second smoke test), and regression (compare against baseline). Produces health score, structured reports, and actionable bug lists. Use this skill when UAT is requested or a feature is ready for acceptance testing.
Token Audit
Audit the current project for token waste patterns. Produces a Token Health Report with scored findings and actionable fixes. Use this skill when token usage feels high, sessions are hitting limits, or before optimizing costs.
Test Writing
Write automated tests for existing or new functionality. Use this skill when tests are requested, including unit tests, integration tests, and end-to-end tests.
Skill Creator
Turn a repetitive workflow into a reusable custom skill. Interviews the user, then produces a complete SKILL.md with frontmatter, procedure, constraints, definition of done, and output contract in custom-skills/. Use this skill when you find yourself repeating the same process and want to automate it.