Detects fail-open insecure defaults (hardcoded secrets, weak auth, permissive security) that allow apps to run insecurely in production. Use when auditing security, reviewing config management, or analyzing environment variable handling.
This skill does not declare a tool allowlist. The agent host applies whatever default tools are available at runtime.
SKILL.md / Manifest
https://raw.githubusercontent.com/trailofbits/skills/main/plugins/insecure-defaults/skills/insecure-defaults/SKILL.mdRegistry
github (via claudemarketplaces.com)