d-subrahmanyam/cryptography
.agents/skills/cryptography/SKILL.md
Application-level cryptography. Password hashing (bcrypt, argon2), encryption (AES-GCM), digital signatures, key management, and secure random generation. USE WHEN: user mentions "encryption", "hashing", "bcrypt", "argon2", "AES", "cryptography", "digital signature", "key management", "HMAC" DO NOT USE FOR: TLS/HTTPS configuration - use infrastructure skills; JWT tokens - use `jwt`; OAuth flows - use `oauth2`
development
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add d-subrahmanyam/deno-fresh-microservices cryptographyInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 8:53 PM1.7s1 file scanned
SKILL.md
- name:
- cryptography
- description:
- |
- USE WHEN:
- user mentions "encryption", "hashing", "bcrypt", "argon2", "AES",
- DO NOT USE FOR:
- TLS/HTTPS configuration - use infrastructure skills;
- allowed-tools:
- Read, Grep, Glob, Write, Edit
Cryptography
Password Hashing
bcrypt (recommended for most apps)
import bcrypt from 'bcrypt';
const SALT_ROUNDS = 12;
async function hashPassword(password: string): Promise<string> {
return bcrypt.hash(password, SALT_ROUNDS);
}
async function verifyPassword(password: string, hash: string): Promise<boolean> {
return bcrypt.compare(password, hash);
}
Argon2 (recommended for high-security)
import argon2 from 'argon2';
async function hashPassword(password: string): Promise<string> {
return argon2.hash(password, {
type: argon2.argon2id,
memoryCost: 65536, // 64 MB
timeCost: 3,
parallelism: 4,
});
}
async function verifyPassword(password: string, hash: string): Promise<boolean> {
return argon2.verify(hash, password);
}
Symmetric Encryption (AES-256-GCM)
import { createCipheriv, createDecipheriv, randomBytes } from 'crypto';
const ALGORITHM = 'aes-256-gcm';
function encrypt(plaintext: string, key: Buffer): string {
const iv = randomBytes(12);
const cipher = createCipheriv(ALGORITHM, key, iv);
const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
const authTag = cipher.getAuthTag();
return Buffer.concat([iv, authTag, encrypted]).toString('base64');
}
function decrypt(ciphertext: string, key: Buffer): string {
const buf = Buffer.from(ciphertext, 'base64');
const iv = buf.subarray(0, 12);
const authTag = buf.subarray(12, 28);
const encrypted = buf.subarray(28);
const decipher = createDecipheriv(ALGORITHM, key, iv);
decipher.setAuthTag(authTag);
return decipher.update(encrypted) + decipher.final('utf8');
}
// Key from environment (32 bytes for AES-256)
const key = Buffer.from(process.env.ENCRYPTION_KEY!, 'hex');
HMAC (Message Authentication)
import { createHmac, timingSafeEqual } from 'crypto';
function signPayload(payload: string, secret: string): string {
return createHmac('sha256', secret).update(payload).digest('hex');
}
function verifySignature(payload: string, signature: string, secret: string): boolean {
const expected = signPayload(payload, secret);
return timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}
Secure Random Values
import { randomBytes, randomUUID } from 'crypto';
const token = randomBytes(32).toString('hex'); // 64-char hex token
const uuid = randomUUID(); // UUID v4
Python
from passlib.hash import argon2
import os
from cryptography.fernet import Fernet
# Password hashing
hashed = argon2.hash("password")
is_valid = argon2.verify("password", hashed)
# Symmetric encryption
key = Fernet.generate_key() # Store securely
f = Fernet(key)
encrypted = f.encrypt(b"sensitive data")
decrypted = f.decrypt(encrypted)
# Secure random
token = os.urandom(32).hex()
Anti-Patterns
| Anti-Pattern | Fix |
|--------------|-----|
| MD5/SHA for passwords | Use bcrypt or argon2 |
| ECB mode encryption | Use GCM (authenticated encryption) |
| Hardcoded keys | Use environment variables or KMS |
| Math.random() for tokens | Use crypto.randomBytes() |
| String comparison for signatures | Use timingSafeEqual() to prevent timing attacks |
| Reusing IV/nonce | Generate fresh random IV for each encryption |
Production Checklist
- [ ] bcrypt (cost 12+) or argon2id for passwords
- [ ] AES-256-GCM for symmetric encryption
- [ ] Keys in environment variables or KMS
- [ ]
crypto.randomBytesfor all random tokens - [ ]
timingSafeEqualfor signature verification - [ ] Key rotation plan documented
Related Skills
d-subrahmanyam/fastify-typescript
development
VerifiedTrustedCommunity
Guidelines for building high-performance APIs with Fastify and TypeScript, covering validation, Prisma integration, and testing best practices
SKILL.mdUpdated Apr 17, 2026
d-subrahmanyam/fastapi
development
VerifiedTrustedCommunity
FastAPI modern Python web framework. Covers routing, Pydantic models, dependency injection, and async support. Use when building Python APIs. USE WHEN: user mentions "fastapi", "pydantic", "async python api", "python rest api", asks about "dependency injection python", "python openapi", "python swagger", "async endpoints", "python api validation", "fastapi middleware" DO NOT USE FOR: Django apps - use `django` instead, Flask apps - use `flask` instead, synchronous Python APIs without type hints, GraphQL-only APIs
SKILL.mdUpdated Apr 16, 2026
d-subrahmanyam/fastapi-testing
tools
VerifiedTrustedCommunity
FastAPI integration testing specialist. Covers synchronous TestClient, async httpx AsyncClient, dependency injection overrides, auth testing (JWT, OAuth2, API keys), WebSocket testing, file uploads, background tasks, middleware testing, and HTTP mocking with respx, responses, and pytest-httpserver. USE WHEN: user mentions "FastAPI test", "TestClient", "httpx async test", "dependency override test", "respx mock", asks about testing FastAPI endpoints, authentication in tests, or HTTP client mocking. DO NOT USE FOR: Django - use `pytest-django`; pytest internals - use `pytest`; Container infrastructure - use `testcontainers-python`
SKILL.mdUpdated Apr 16, 2026
d-subrahmanyam/fastapi-python
development
VerifiedTrustedCommunity
Expert in FastAPI Python development with best practices for APIs and async operations
SKILL.mdUpdated Apr 16, 2026