insecure-defaults

by trailofbits

The insecure-defaults skill helps spot fail-open configuration patterns that let software run with unsafe settings instead of stopping. Use it for a Security Audit of production code, deployment configs, and secret-handling logic to catch weak auth, hardcoded secrets, and permissive defaults.

Stars5k

Favorites0

Comments0

AddedMay 4, 2026

CategorySecurity Audit

Install Command

npx skills add trailofbits/skills --skill insecure-defaults

Curation Score

This skill scores 84/100, which means it is a solid directory listing candidate for users doing security reviews of code and config. It is easy for an agent to trigger from the frontmatter, the workflow is concrete enough to distinguish fail-open insecure defaults from fail-secure patterns, and the examples support real install-time decision making. The main caveat is that the repository is guidance-heavy rather than tool-assisted, so users should expect to apply the checklist manually with the provided tools.

84/100

Strengths

Strong triggerability: the description clearly targets security audits, configuration review, and environment variable handling.
Operationally clear: it explains the core distinction between fail-open and fail-secure patterns with concrete examples.
Good install value: the included examples file gives vulnerable vs secure patterns that reduce guesswork for agents.

Cautions

No install command or automation assets, so adoption is manual and depends on agent discipline.
The skill appears focused on detection guidance rather than a full end-to-end remediation workflow.

Git Security Configuration Environment Variables Secrets Auth Docker

Overview

Overview of insecure-defaults skill

What insecure-defaults does

The insecure-defaults skill helps you spot fail-open configuration patterns that let software run with unsafe settings instead of stopping. It is most useful for a Security Audit of production code, deployment configs, and secret-handling logic where missing environment variables should be treated as a defect, not silently tolerated.

Who should use it

Use the insecure-defaults skill if you review auth, crypto, API keys, or infrastructure code and need to separate safe fail-secure behavior from risky fallback behavior. It is a good fit for reviewers, AppSec teams, and agents checking whether a service can boot with weak credentials, permissive defaults, or placeholder secrets.

What makes it different

The skill is not a generic “find security bugs” prompt. It focuses on one decision: does missing config cause the system to fail closed, or does it continue insecurely? That narrow scope makes insecure-defaults useful for catching issues like default secrets, fallback passwords, and permissive environment-variable handling that are easy to miss in a broad audit.

How to Use insecure-defaults skill

Install and open the right files

For insecure-defaults install, add the skill with npx skills add trailofbits/skills --skill insecure-defaults. Then read SKILL.md first, followed by references/examples.md for the reported and non-reported patterns. If you are adapting the skill to another repo, also inspect any config, deployment, or secrets-related files where defaults could matter.

Give the skill a concrete audit target

The best insecure-defaults usage starts with a specific question, not a vague ask. Good inputs name the service, the config surface, and the risk boundary:

“Review this auth service for insecure-defaults in env var handling and secret loading.”
“Check Docker and IaC files for fallback credentials or permissive defaults.”
“Audit these startup paths to confirm missing config fails secure, not open.”

Use the skill as a triage workflow

A practical insecure-defaults guide is: identify where config is read, check whether missing values crash or fallback, and confirm whether the default is safe in production. The repository examples show the key distinction: env['KEY'] or explicit validation is usually safe, while env.get('KEY') or 'default' is a reportable issue when the value controls security behavior.

Improve output quality with scoped context

Provide the exact files, stack, and deployment context the agent should examine. For example, mention src/auth/, config/, docker-compose.yml, or helm/ if those paths exist. Also state whether test fixtures, sample files, or development-only configs should be excluded; the skill explicitly treats those as non-findings unless they affect production behavior.

insecure-defaults skill FAQ

Is insecure-defaults only for app code?

No. The insecure-defaults skill also fits deployment manifests, IaC, container setup, and environment-variable logic. If a missing secret or password causes the app to run with a weak default, that is exactly the kind of issue it is built to catch.

How is this different from a normal prompt?

A normal prompt often produces broad security advice. The insecure-defaults skill is narrower and more decision-oriented: it checks whether a missing setting is a safe failure or a dangerous fallback. That focus reduces false positives and makes the review more consistent across codebases.

When should I not use it?

Do not use insecure-defaults for test fixtures, sample .example or .template files, documentation snippets, or development-only scripts unless they are actually used in production. It is also the wrong tool when the system is supposed to crash if config is absent; that fail-secure behavior is a pass, not a finding.

Is it beginner-friendly?

Yes, if you can identify where a system reads secrets or config. The insecure-defaults skill guide is easy to apply because it relies on a simple question: “What happens when the value is missing?” The nuance comes from knowing which files are real runtime inputs versus placeholders.

How to Improve insecure-defaults skill

Give stronger evidence at the prompt

The best way to improve insecure-defaults results is to include the exact security-sensitive variable or file path. For example, “Check whether SECRET_KEY, DB_PASSWORD, or JWT_SECRET has any fallback in production startup code” is much better than “find security problems.” Specific inputs help the skill focus on exploitable defaults instead of harmless convenience settings.

Separate production from non-production

A common failure mode is over-reporting defaults in local-only, test, or example files. Tell the skill which directories are deployable and which are not. If a fallback is intentional in dev but not allowed in prod, say so explicitly so the review can assess whether the boundary is enforced.

Ask for reasoning, not just findings

When you iterate, request the exact code path and why the default is dangerous. For instance: “Show whether the app still starts with a missing secret, and explain the impact if that secret signs sessions or tokens.” This makes insecure-defaults more useful for a Security Audit because it ties each finding to exploitability.

Refine after the first pass

If the first output is broad, rerun it with a narrower scope: one service, one configuration class, or one deployment manifest set. If you need higher precision, ask the skill to prioritize only fail-open cases that affect auth, cryptography, or access control, and to skip harmless defaults that do not change security posture.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

solana-vulnerability-scanner

by trailofbits

solana-vulnerability-scanner is a focused Solana security audit skill for native Rust and Anchor programs. It helps review CPI logic, PDA validation, signer and ownership checks, and sysvar spoofing to catch six critical Solana-specific vulnerabilities before deployment.

Security Audit

Favorites 0GitHub 4.9k

sharp-edges

by trailofbits

The sharp-edges skill helps you find APIs, configs, and interfaces where the easy path leads to insecure use. Use it to review authentication flows, cryptographic wrappers, dangerous defaults, null or zero semantics, and misuse-prone design choices. It is a strong fit for sharp-edges for Security Audit work when you need concrete footguns, not generic security guesses.

Security Audit

Favorites 0GitHub 5k

security-review

by affaan-m

Use the security-review skill to review auth, user input, secrets, APIs, payments, uploads, and other sensitive flows. It provides a practical security-review guide with clear pass/fail checks, risky-pattern examples, and a focused process for catching common issues before release.

Security Audit

Favorites 0GitHub 156.3k

django-security

by affaan-m

django-security is a practical guide for hardening Django apps with authentication, authorization, CSRF, XSS, SQL injection prevention, secure cookies, and production settings. It helps developers and reviewers run a focused Security Audit, quickly spot risky config, and apply concrete fixes before deployment.

Security Audit

Favorites 0GitHub 156.1k

ossfuzz

by trailofbits

Learn the ossfuzz skill for continuous fuzzing setup, project enrollment, harness planning, and build workflow review. This guide helps security engineers and maintainers assess readiness, spot build blockers, and prepare a practical path from source tree to OSS-Fuzz or private fuzzing infrastructure.

Security Audit

Favorites 0GitHub 5k

codeql

by trailofbits

The codeql skill helps you run CodeQL with fewer blind spots during a security audit. It focuses on database quality, suite selection, data extensions, and SARIF review so you can use codeql usage more reliably across supported languages. Use it for repeatable codeql guide steps when analyzing real repositories.

Security Audit

Favorites 0GitHub 5k

semgrep-rule-creator

by trailofbits

semgrep-rule-creator creates production-quality Semgrep rules for security vulnerabilities, bug patterns, taint-flow detections, and coding standards. Use the semgrep-rule-creator skill for Security Audit work when you need precise rules, test cases, and validation instead of a generic draft.

Security Audit

Favorites 0GitHub 5k

constant-time-analysis

by trailofbits

constant-time-analysis is a security-audit skill for finding timing side-channel risks in cryptographic code before they become exploitable bugs. Use it to review secret-dependent math, branches, comparisons, and compiled output when checking C, C++, Go, Rust, Swift, Java, Kotlin, PHP, JavaScript, TypeScript, Python, or Ruby.

Security Audit

Favorites 0GitHub 5k

secure-workflow-guide

by trailofbits

secure-workflow-guide guides a 5-step Solidity security workflow: Slither triage, feature-specific checks, visual inspection, security-property notes, and manual review. It is built for smart contract teams, auditors, and builders who want a repeatable secure-workflow-guide guide before deployment or release.

Security Audit

Favorites 0GitHub 4.9k

algorand-vulnerability-scanner

by trailofbits

algorand-vulnerability-scanner is a security-audit skill for Algorand TEAL and PyTeal. It helps find 11 common issues, including rekeying attacks, fee validation gaps, field checks, and access control flaws. Use the algorand-vulnerability-scanner skill for a practical first-pass review before a manual audit.

Security Audit

Favorites 0GitHub 4.9k

supabase-postgres-best-practices

by supabase

supabase-postgres-best-practices is a Supabase Postgres optimization skill for query tuning, indexing, schema design, RLS performance, locking, and connection management.

Database Engineering

Favorites 0GitHub 1.7k

entra-agent-id

by microsoft

entra-agent-id is a Microsoft Entra Agent ID preview skill for backend development teams building OAuth2-capable AI agent identities with Graph beta. It covers blueprint setup, blueprint principals, agent identities, permissions, sponsors, workload identity federation, and sidecar-based auth. Use it to understand entra-agent-id install, usage, and rollout constraints.

Backend Development

Favorites 0GitHub 0

token-integration-analyzer

by trailofbits

token-integration-analyzer is a security-review skill for token implementations and token integrations. It checks ERC20/ERC721 conformity, weird token patterns, owner privileges, scarcity, and non-standard token handling for Security Audit workflows. Use the token-integration-analyzer guide to reduce guesswork and assess compatibility risk.

Security Audit

Favorites 0GitHub 4.9k

cosmos-vulnerability-scanner

by trailofbits

cosmos-vulnerability-scanner finds consensus-critical bugs in Cosmos SDK modules, CosmWasm contracts, IBC integrations, and Cosmos EVM stacks. Use this cosmos-vulnerability-scanner guide for security audit workflows, chain-halt risks, fund-loss paths, and pre-launch reviews.

Security Audit

Favorites 0GitHub 4.9k

ruzzy

by trailofbits

ruzzy is a coverage-guided Ruby fuzzing skill for testing pure Ruby code and Ruby C extensions. Use the ruzzy guide to set up a supported Linux environment, verify sanitizer wiring, and build practical fuzzing workflows for Security Audit work.

Security Audit

Favorites 0GitHub 5k

libfuzzer

by trailofbits

libfuzzer is a coverage-guided fuzzer for C/C++ projects compiled with Clang. This libfuzzer skill helps you install, understand, and use the workflow for harnessing targets, running sanitizers, and starting a practical security audit with minimal setup.

Security Audit

Favorites 0GitHub 5k