Skill

cryptographic-failures

Detects cryptographic failures in code: weak hashes (MD5), insecure randomness (Math.random/random), hardcoded keys/secrets, ECB mode. Recommends bcrypt/argon2, CSPRNGs (secrets/crypto.randomBytes), env vars, AES-GCM.

Python

Javascript

Node

Java

security

npx claudepluginhub thejefflarson/soundcheck --plugin soundcheck

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Protects against weak or broken cryptography that allows attackers to recover

SKILL.md

Similar Skills

Cryptographic Failures

Detects cryptographic failures like weak hashing (MD5/SHA1), hardcoded secrets, insecure randomness in Python, Java, Go, PHP, TypeScript code using grep patterns for whitebox pentesting.

vuln-scout

crypto

Guides secure cryptography: hashing (Argon2id, bcrypt), encryption (AES-256-GCM), key management, JWT signing, TLS hardening, digital signatures for sensitive data.

godmode

check-crypto-usage

Analyzes PHP code for cryptography vulnerabilities like weak algorithms, hardcoded keys, insecure random, poor key management, and deprecated functions. Ideal for PHP security audits.

acc

Stats

Stars13

Forks0

Last CommitApr 18, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Cryptographic Failures Security Check (A04:2025)

What this checks

Protects against weak or broken cryptography that allows attackers to recover plaintext passwords, forge tokens, or decrypt sensitive data. Failures here directly enable credential stuffing, account takeover, and data breach.

Vulnerable patterns

hashlib.md5(password.encode()).hexdigest() — MD5 is broken; no salt, trivially reversed with rainbow tables
token = str(random.random()) — Math.random() / random is not cryptographically secure
SECRET_KEY = "hardcoded-secret" — key committed to source control
AES.new(key, AES.MODE_ECB) — ECB mode leaks patterns; identical plaintext blocks produce identical ciphertext

Fix immediately

Flag the vulnerable code and explain the risk. Then suggest a fix that establishes these properties:

Passwords go through a slow, salted, memory-hard hash — bcrypt, scrypt, or argon2. Never MD5, SHA1, or SHA256-alone: they're fast enough to brute-force billions of candidates per second on consumer GPUs. The salt is per-password and stored alongside the hash, not a global constant.
Security-sensitive randomness comes from a CSPRNG — secrets in Python, crypto.randomBytes in Node, crypto/rand in Go, SecureRandom in Java. Never random, Math.random, or time-seeded PRNGs for tokens, session IDs, nonces, or keys.
Symmetric encryption uses an authenticated mode — AES-GCM, AES-CCM, ChaCha20-Poly1305. ECB never; CBC only with a separate MAC (encrypt-then-MAC). A fresh nonce per message, never reused with the same key.
Keys live outside the source tree — environment variable, secrets manager, KMS, or OS keystore. Never hardcoded literals, never committed config files. Rotation requires touching infrastructure, not source.

Anchor — shape, not implementation:

hashed  = password_hash(password, algo=bcrypt_or_argon2)   # slow + salted
token   = csprng_bytes(32)                                  # not Math.random
key     = load_from_env_or_kms("ENCRYPTION_KEY")
ct      = aead_encrypt(key, nonce=csprng_bytes(12), pt, aad)

Verification

Confirm the response:

Passwords are hashed with bcrypt, scrypt, or argon2 — never MD5, SHA1, or SHA256 alone
All security tokens use secrets.token_urlsafe / crypto.randomBytes — not random / Math.random()
No keys or secrets appear in source code; all loaded from environment or a secrets manager
Symmetric encryption uses an authenticated mode (GCM, CCM) — not ECB or CBC without MAC

References

CWE-327 (Use of a Broken or Risky Cryptographic Algorithm)
CWE-326 (Inadequate Encryption Strength)
CWE-330 (Use of Insufficiently Random Values)
OWASP A04:2025 Cryptographic Failures