auth-vulnerabilities_skill

This skill analyzes AI-generated authentication and session management code to identify insecure password storage and broken access controls, guiding secure
  • JavaScript

4

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill harperaa/secure-claude-skills --skill auth-vulnerabilities

  • SKILL.md22.5 KB

Overview

This skill helps you find and understand authentication and authorization defects commonly produced by AI-generated code. It highlights insecure password storage, broken session management, and access control bypasses, and explains why AI suggests unsafe patterns like MD5 or predictable session IDs. The goal is to teach practical fixes and detection cues so you can harden AI-suggested code before deployment.

How this skill works

The skill inspects code patterns and examples to identify insecure password handling (plaintext, MD5/SHA1), weak session implementations (predictable IDs, missing expiration, insecure cookies), and missing authorization checks. It explains the root causes—training data bias, simplicity shortcuts, and lack of security reasoning—and maps each issue to a secure alternative and configuration recommendations. It also provides short, concrete remediation steps and realistic attack scenarios to prioritize fixes.

When to use it

  • Review AI-suggested auth code before merging to production
  • Audit legacy code that mirrors AI-recommended patterns
  • Train teams to recognize common AI-generated auth anti-patterns
  • Assess pull requests with quick heuristics for password/session flaws
  • Integrate into secure code review or CI linting guidance

Best practices

  • Never accept plaintext or fast hashes; require bcrypt/Argon2 with per-password salt and a cost factor
  • Use cryptographically secure session IDs, server-side session stores (Redis), and set httpOnly, secure, and sameSite cookies
  • Enforce session expiration, renewal, IP/user-agent consistency, and rate limiting on auth endpoints
  • Separate authentication (identity) from authorization (permissions); always check resource-level permissions server-side
  • Prefer managed auth providers (Clerk, Auth0) or vetted libraries to reduce custom-auth risks

Example use cases

  • Detect AI code that stores passwords with hashlib.md5 or plain strings and recommend bcrypt/Argon2
  • Identify session code creating IDs from username+timestamp and replace with crypto.randomBytes
  • Flag endpoints that require login but do not check resource ownership or roles
  • Add middleware templates that validate sessions, renew TTLs, and enforce cookie security flags
  • Create training snippets showing attack vectors: session hijack, fixation, and authorization bypass

FAQ

Models are trained on old public examples and prefer simpler code; they lack contextual security knowledge, so they surface outdated patterns like MD5 or plaintext.

Is replacing MD5 with bcrypt enough?

bcrypt/Argon2 is required for storage, but also enforce password strength, per-password salt, proper cost factor, secure transport (TLS), and breach detection/rate limiting.

Can I rely on managed auth services?

Yes—well-maintained providers reduce custom-auth errors, handle hashing/session best practices, and lower the attack surface if configured correctly.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational