Security skill for detecting insecure default configurations that create vulnerabilities when applications run with missing or incomplete configuration.
The insecure-defaults skill helps identify security vulnerabilities caused by:
- Hardcoded fallback secrets (JWT keys, API keys, session secrets)
- Default credentials (admin/admin, root/password)
- Weak cryptographic defaults (MD5, DES, ECB mode)
- Permissive access control (CORS *, public by default)
- Missing security configuration that causes fail-open behavior
Critical Distinction: This skill emphasizes fail-secure vs. fail-open behavior. Applications that crash without proper configuration are safe; applications that run with insecure defaults are vulnerable.
cd parent-folder/skills
/plugin install ./plugins/insecure-defaultsOr from the plugin marketplace:
/plugin install insecure-defaultsUse this skill when:
- Security auditing production applications or services
- Configuration review of deployment manifests (Docker, Kubernetes, IaC)
- Pre-production checks before deploying new services
- Code review of authentication, authorization, or cryptographic code
- Environment variable handling analysis for secrets management
- API security review checking CORS, rate limiting, authentication
- Third-party integration review for hardcoded test credentials
Audit this codebase for insecure defaults—focus on environment variable fallbacks and authentication configuration