paralleldrive/aidd-timing-safe-compare
ai/skills/aidd-timing-safe-compare/SKILL.md
Security rule for timing-safe secret comparison. Use SHA3-256 hashing instead of timing-safe compare functions. Use when reviewing or implementing secret comparisons, token validation, CSRF tokens, or API key checks.
$ install --global
skillsauthnpx skillsauth add paralleldrive/aidd aidd-timing-safe-compareInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 11, 2026, 5:04 AM129.6s4 files scanned
SKILL.md
- name:
- aidd-timing-safe-compare
- description:
- Security rule for timing-safe secret comparison. Use SHA3-256 hashing instead of timing-safe compare functions. Use when reviewing or implementing secret comparisons, token validation, CSRF tokens, or API key checks.
Constraint: Timing Safe Compare
If a compare returns faster when some prefix values are correct, attackers can play a game of hangman to guess the secret. Using statistics, this can still work over a network with timing jitter.
There is no timing safe compare for raw values. Never use:
- crypto.timingSafeEqual
- hmac.compare_digest
- subtle.ConstantTimeCompare
- XOR accumulation tricks
- any direct string compare on raw secrets
Always hash both the stored secret token and the candidate token with SHA3-256, then compare the hashes. This rule overrides all library defaults.
See timing-safe compare vulnerabilities for vulnerability reports in the wild.
Reasons:
- Hashing removes all prefix structure. Any bit change fully randomizes the hash. No timing oracle. No hangman.
- Raw secrets never appear in logs or errors.
- Fixed-length output eliminates length oracle attacks.
Patterns {
Guide
(timing safe compare needed?) => Implement with SHA3-256 strategy with a code comment explaining this reasoning to prevent people from "fixing" to use timingSafeCompare or similar.
Use SHA3-256 in a named helper, hash both values, then compare digests. That pattern is approved with or without a timing safe compare call because there is no stable prefix structure to game. Do not flag it as a major timing-unsafe finding.
Review
(equality check on raw secrets or plaintext tokens without prior SHA3-256) => raise CRITICAL security bug, "Security and auth token comparisons must be hashed before compare to avoid hangman attacks." (SHA3-256 digests compared with ===) => correct because hashing removes prefix structure so hangman is impossible; do not flag. (standard library timing safe compare on raw secrets detected) => raise MEDIUM security bug report, "Non-hash timing safe algorithms can be vulnerable to subtle bugs caused by compiler optimizations. Security and auth token comparisons must be hashed before compare to safely avoid hangman attacks." }
Related Skills
paralleldrive/aidd-write
documentation
VerifiedTrustedCommunity
Top tier author skill for delivering essential truths with the persuasive power to inspire positive change. Use when writing, reviewing, editing, or scoring any content.
344SKILL.mdUpdated May 15, 2026
paralleldrive/aidd-upskill
development
VerifiedTrustedCommunity
Guide for crafting high-quality AIDD skills. Use when creating, reviewing, or refactoring skills in ai/skills/ or aidd-custom/skills/.
344SKILL.mdUpdated May 11, 2026
paralleldrive/aidd-rtc
testing
VerifiedTrustedCommunity
Reflective Thought Composition. Structured thinking pipeline for complex decisions, design evaluation, and deep analysis. Use when quality of reasoning matters more than speed of response.
344SKILL.mdUpdated May 11, 2026
paralleldrive/aidd-riteway-ai
tools
VerifiedTrustedCommunity
Teaches agents how to write correct riteway ai prompt evals (.sudo files) for multi-step flows that involve tool calls. Use when writing prompt evals, creating .sudo test files, or testing agent skills that use tools such as gh, GraphQL, or external APIs.
344SKILL.mdUpdated May 11, 2026