From soundcheck
Detects insecure local storage of sensitive data (credentials, tokens, PII) in files, SharedPreferences, NSUserDefaults, SQLite, or localStorage without encryption. Suggests keychain, EncryptedSharedPreferences, or in-memory alternatives.
npx claudepluginhub thejefflarson/soundcheck --plugin soundcheckThis skill uses the workspace's default tool permissions.
Detects sensitive data written to unprotected local storage. Cleartext storage lets any
Identifies insecure data storage in Android/iOS apps via unencrypted DBs, SharedPreferences, world-readable files, and keychain misuse. For OWASP M9 mobile pentesting.
Identifies and exploits insecure local data storage in Android/iOS apps including unencrypted databases, SharedPreferences, world-readable files, and keychain misuse. For mobile pentesting on OWASP M9.
Identifies and exploits insecure local data storage in Android/iOS mobile apps, including unencrypted databases, SharedPreferences, world-readable files, and Keychain/Keystore misuse. For OWASP M9 pentesting.
Share bugs, ideas, or general feedback.
Detects sensitive data written to unprotected local storage. Cleartext storage lets any process with file-system access, or a device backup restore, harvest credentials and tokens without authentication.
open("config.json", "w"); json.dump({"token": token}, f) — credentials in plaintext fileSharedPreferences.edit().putString("api_key", key) — Android prefs without encryptionNSUserDefaults.standard.set(password, forKey: "password") — iOS defaults without KeychainlocalStorage.setItem("auth_token", token) — web storage without at-rest encryptiontempfile.NamedTemporaryFile(); f.write(secret) — secrets in world-readable temp filesFlag the vulnerable code and explain the risk. Then suggest a fix that establishes these properties:
keyring, iOS Keychain, macOS Keychain),
Android EncryptedSharedPreferences, Windows DPAPI / Credential Manager.
These encrypt at rest and scope access to the owning process.localStorage or
sessionStorage. These are readable by any script on the origin — one XSS
and the token is gone. Use a Secure, HttpOnly, SameSite cookie for session
tokens, or a short-lived in-memory token refreshed from the server.0600), written to a user-only directory, and deleted in a
finally block — never left in /tmp with default perms.Anchor — shape, not implementation:
# sensitive value → platform secure store
keychain.set("api_key", value)
# or, if you must use a file
key = keychain.get("file_enc_key") or keychain.generate_and_store("file_enc_key")
write(path, aead_encrypt(key, value), mode=0o600)