Insecure Defaults Detection

Detect insecure default configurations, hardcoded credentials, fail-open security patterns, and dangerous default values in application code and configuration files. Complements SKL-0015 (Security Audit) by focusing on configuration-level vulnerabilities that dependency scanners miss.

5 stars

Best use case

Insecure Defaults Detection is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Detect insecure default configurations, hardcoded credentials, fail-open security patterns, and dangerous default values in application code and configuration files. Complements SKL-0015 (Security Audit) by focusing on configuration-level vulnerabilities that dependency scanners miss.

Teams using Insecure Defaults Detection should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/insecure-defaults/SKILL.md --create-dirs "https://raw.githubusercontent.com/BasharAmso/Bashi/main/create-bashi-app/template/custom-skills/insecure-defaults/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/insecure-defaults/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How Insecure Defaults Detection Compares

Feature / AgentInsecure Defaults DetectionStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Detect insecure default configurations, hardcoded credentials, fail-open security patterns, and dangerous default values in application code and configuration files. Complements SKL-0015 (Security Audit) by focusing on configuration-level vulnerabilities that dependency scanners miss.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Skill: Insecure Defaults Detection

## Metadata

| Field | Value |
|-------|-------|
| **Skill ID** | SKL-0029 |
| **Version** | 1.0 |
| **Owner** | reviewer |
| **Inputs** | Source files, config files, .env.example |
| **Outputs** | Insecure defaults report, STATE.md updated |
| **Triggers** | `INSECURE_DEFAULTS_CHECK_REQUESTED` |

---

## Purpose

Scan application code and configuration files for insecure default values, hardcoded credentials, fail-open security patterns, and dangerous configurations that would survive into production. This catches the class of vulnerabilities that dependency scanners and OWASP checklists miss — the ones baked into *your* code, not your dependencies.

Inspired by [Trail of Bits' insecure-defaults skill](https://github.com/trailofbits/skills).

> **See also:** For full OWASP codebase audit, see SKL-0015 (Security Audit).

---

## Procedure

### Step 1 — Identify Configuration Surface

Scan the project for configuration files and patterns:

- `.env`, `.env.example`, `.env.local`, `.env.production`
- `config/`, `settings/`, any `*config*` files
- Docker Compose files, Dockerfiles
- CI/CD configs (`.github/workflows/`, `Jenkinsfile`, etc.)
- Database connection strings
- API endpoint configurations
- Authentication and session settings
- CORS and CSP headers

### Step 2 — Check for Hardcoded Secrets

Search for patterns that indicate hardcoded credentials:

| Pattern | Severity | Example |
|---------|----------|---------|
| Hardcoded API keys | CRITICAL | `apiKey = "sk-..."` |
| Hardcoded passwords | CRITICAL | `password = "admin123"` |
| Default JWT secrets | CRITICAL | `JWT_SECRET = "secret"` or `"changeme"` |
| Hardcoded database credentials | HIGH | `DB_PASSWORD = "postgres"` |
| Commented-out credentials | MEDIUM | `// password: "test123"` |
| Placeholder secrets in non-example files | HIGH | `TOKEN = "xxx"` in production configs |

### Step 3 — Check for Fail-Open Patterns

Identify code paths where security fails to the permissive state:

| Pattern | Severity | What to look for |
|---------|----------|-----------------|
| Auth bypass on error | CRITICAL | `catch { return true }` in auth middleware |
| CORS wildcard | HIGH | `Access-Control-Allow-Origin: *` in production |
| Debug mode defaults | HIGH | `DEBUG = true` without environment override |
| Disabled CSRF | HIGH | CSRF protection commented out or defaulting to off |
| Permissive CSP | MEDIUM | `Content-Security-Policy: default-src *` |
| Missing rate limiting | MEDIUM | Auth endpoints without rate limits |
| Insecure cookie defaults | MEDIUM | Missing `Secure`, `HttpOnly`, or `SameSite` flags |

### Step 4 — Check for Dangerous Defaults

| Pattern | Severity | What to look for |
|---------|----------|-----------------|
| Default admin accounts | CRITICAL | User seed data with admin/admin or similar |
| Open registration | HIGH | Registration enabled with no verification |
| Verbose error messages | MEDIUM | Stack traces or SQL errors exposed to client |
| Default ports on sensitive services | LOW | Database/cache on default ports without auth |
| Missing HTTPS redirect | MEDIUM | HTTP allowed without redirect in production config |
| Auto-approve patterns | HIGH | Code that auto-approves without validation |

### Step 5 — Generate Report

For each finding, document:
- **File and line number**
- **Severity** (CRITICAL / HIGH / MEDIUM / LOW)
- **What was found** (specific code or config)
- **Why it's dangerous** (attack scenario)
- **Recommended fix** (concrete code change)

### Step 6 — Update STATE.md

Record findings summary and severity counts.

---

## Constraints

- Read-only analysis — does not modify source files
- Findings are advisory unless severity is CRITICAL
- Does not replace SKL-0015 (Security Audit) — complements it with config-level focus
- Does not scan dependencies (that's SKL-0015's job)
- Never prints actual secret values in reports — redact to first/last 2 characters

---

## Primary Agent

reviewer

---

## Definition of Done

- [ ] All configuration files identified and scanned
- [ ] Hardcoded secrets check completed
- [ ] Fail-open patterns check completed
- [ ] Dangerous defaults check completed
- [ ] Each finding has file, line, severity, explanation, and fix
- [ ] No actual secrets exposed in the report
- [ ] STATE.md updated with findings summary

## Output Contract

| Field | Value |
|-------|-------|
| **Artifacts** | Insecure defaults report (findings with severity ratings and recommended fixes) |
| **State Update** | `.claude/project/STATE.md` — mark task complete, log findings summary and severity counts |
| **Handoff Event** | `TASK_COMPLETED` (insecure defaults check complete) |

Related Skills

Supply Chain Audit

5
from BasharAmso/Bashi

Audit the dependency supply chain for security risks beyond what `npm audit` or `pip audit` catches. Analyzes dependency health, maintainer trust signals, typosquatting risk, and transitive dependency exposure.

SEO Audit

5
from BasharAmso/Bashi

Audit web pages for search engine optimization: meta tags, heading hierarchy, structured data, image optimization, mobile-friendliness, and content quality. Complements SKL-0013 (Growth & Distribution) by validating what was built.

Pitch Deck

5
from BasharAmso/Bashi

Create a structured pitch deck outline for investors, stakeholders, or partners. Covers problem, solution, market, traction, team, and ask. Natural output after PRD + Problem Stress Test validation.

Launch Checklist

5
from BasharAmso/Bashi

Pre-launch validation covering everything deployment (SKL-0021) doesn't: analytics, error tracking, social meta, legal pages, email setup, DNS, SSL, and go-live readiness. Produces a launch readiness report with pass/fail checklist. Use this skill before going live on any project.

Differential Security Review

5
from BasharAmso/Bashi

Security-focused review of code changes using git diff analysis. Identifies security implications of recent modifications — new attack surfaces, removed protections, changed auth logic, and risky refactors. Complements SKL-0016 (Code Review) with a security lens on diffs.

Copywriting

5
from BasharAmso/Bashi

Write conversion-focused copy using proven frameworks (AIDA, PAS, BAB). Produces headlines, CTAs, landing page copy, email sequences, and micro-copy. Ensures copy matches brand voice and target audience.

Competitor Analysis

5
from BasharAmso/Bashi

Structured competitor research: features, pricing, positioning, gaps, and differentiation strategy. Feeds into PRD Writing (SKL-0004) and Problem Stress Test (SKL-0027) with better market context.

UX Design

5
from BasharAmso/Bashi

Design user experiences including wireframes, flows, and interaction patterns. Use this skill when UX design work is requested, including onboarding flows and interface layouts.

User Acceptance Testing

5
from BasharAmso/Bashi

Structured QA testing with four modes: diff-aware (auto-scoped to branch changes), full (systematic exploration), quick (30-second smoke test), and regression (compare against baseline). Produces health score, structured reports, and actionable bug lists. Use this skill when UAT is requested or a feature is ready for acceptance testing.

Token Audit

5
from BasharAmso/Bashi

Audit the current project for token waste patterns. Produces a Token Health Report with scored findings and actionable fixes. Use this skill when token usage feels high, sessions are hitting limits, or before optimizing costs.

Test Writing

5
from BasharAmso/Bashi

Write automated tests for existing or new functionality. Use this skill when tests are requested, including unit tests, integration tests, and end-to-end tests.

Skill Creator

5
from BasharAmso/Bashi

Turn a repetitive workflow into a reusable custom skill. Interviews the user, then produces a complete SKILL.md with frontmatter, procedure, constraints, definition of done, and output contract in custom-skills/. Use this skill when you find yourself repeating the same process and want to automate it.