ranbot-ai/skills/sharp-edges
skills/sharp-edges/SKILL.md
--- name: sharp-edges description: name: sharp-edges Evaluates whether APIs, configurations, and interfaces are resistant to developer misuse. Identifies designs where the "easy path" leads to insecurity. category: Security & Systems source: antigravity tags: [python, javascript, typescript, api, ai, workflow, design, document, security, vulnerability] url: https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/sharp-edges --- --- name: sharp-edges description: "Identifies err
$ install --global
skillsauthnpx skillsauth add ranbot-ai/awesome-skills skills/sharp-edgesInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 4, 2026, 4:49 AM149.8s1 file scanned
SKILL.md
- name:
- sharp-edges
- description:
- name: sharp-edges Evaluates whether APIs, configurations, and interfaces are resistant to developer misuse. Identifies designs where the "easy path" leads to insecurity.
- category:
- Security & Systems
- source:
- antigravity
- tags:
- [python, javascript, typescript, api, ai, workflow, design, document, security, vulnerability]
- url:
- https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/sharp-edges
name: sharp-edges description: "Identifies error-prone APIs, dangerous configurations, and footgun designs that enable security mistakes. Use when reviewing API designs, configuration schemas, cryptographic library ergonomics, or evaluating whether code follows 'secure by...
Sharp Edges Analysis
Evaluates whether APIs, configurations, and interfaces are resistant to developer misuse. Identifies designs where the "easy path" leads to insecurity.
When to Use
- Reviewing API or library design decisions
- Auditing configuration schemas for dangerous options
- Evaluating cryptographic API ergonomics
- Assessing authentication/authorization interfaces
- Reviewing any code that exposes security-relevant choices to developers
When NOT to Use
- Implementation bugs (use standard code review)
- Business logic flaws (use domain-specific analysis)
- Performance optimization (different concern)
Core Principle
The pit of success: Secure usage should be the path of least resistance. If developers must understand cryptography, read documentation carefully, or remember special rules to avoid vulnerabilities, the API has failed.
Rationalizations to Reject
| Rationalization | Why It's Wrong | Required Action | |-----------------|----------------|-----------------| | "It's documented" | Developers don't read docs under deadline pressure | Make the secure choice the default or only option | | "Advanced users need flexibility" | Flexibility creates footguns; most "advanced" usage is copy-paste | Provide safe high-level APIs; hide primitives | | "It's the developer's responsibility" | Blame-shifting; you designed the footgun | Remove the footgun or make it impossible to misuse | | "Nobody would actually do that" | Developers do everything imaginable under pressure | Assume maximum developer confusion | | "It's just a configuration option" | Config is code; wrong configs ship to production | Validate configs; reject dangerous combinations | | "We need backwards compatibility" | Insecure defaults can't be grandfather-claused | Deprecate loudly; force migration |
Sharp Edge Categories
1. Algorithm/Mode Selection Footguns
APIs that let developers choose algorithms invite choosing wrong ones.
The JWT Pattern (canonical example):
- Header specifies algorithm: attacker can set
"alg": "none"to bypass signatures - Algorithm confusion: RSA public key used as HMAC secret when switching RS256→HS256
- Root cause: Letting untrusted input control security-critical decisions
Detection patterns:
- Function parameters like
algorithm,mode,cipher,hash_type - Enums/strings selecting cryptographic primitives
- Configuration options for security mechanisms
Example - PHP password_hash allowing weak algorithms:
// DANGEROUS: allows crc32, md5, sha1
password_hash($password, PASSWORD_DEFAULT); // Good - no choice
hash($algorithm, $password); // BAD: accepts "crc32"
2. Dangerous Defaults
Defaults that are insecure, or zero/empty values that disable security.
The OTP Lifetime Pattern:
# What happens when lifetime=0?
def verify_otp(code, lifetime=300): # 300 seconds default
if lifetime == 0:
return True # OOPS: 0 means "accept all"?
# Or does it mean "expired immediately"?
Detection patterns:
- Timeouts/lifetimes that accept 0 (infinite? immediate expiry?)
- Empty strings that bypass checks
- Null values that skip validation
- Boolean defaults that disable security features
- Negative values with undefined semantics
Questions to ask:
- What happens with
timeout=0?max_attempts=0?key=""? - Is the default the most secure option?
- Can any default value disable security entirely?
3. Primitive vs. Semantic APIs
APIs that expose raw bytes instead of meaningful types invite type confusion.
The Libsodium vs. Halite Pattern:
// Libsodium (primitives): bytes are bytes
sodium_crypto_box($message, $nonce, $keypair);
// Easy to: swap nonce/keypair, reuse nonces, use wrong key type
// Halite (semantic): types enforce correct usage
Crypto::seal($message, new EncryptionPublicKey($key));
// Wrong key type = type error, not silent failure
Detection patterns:
- Functions taking
bytes,string,[]bytefor distinct security concepts - Parameters that could be swapped without type errors
- Same type used for keys, nonces, ciphertexts, signatures
The comparison footgun:
// Timing-safe comparison looks identical to unsafe
if hmac == expected { } // BAD: timing attack
if hmac.Equal(mac, expected) { } // Good: constant-time
// Same types, different security properties
4. Configuration Cliffs
One wrong setting creates catastrophic failure, with no warning.
Detection patterns:
- Boolean flags that disable security entirely
- String configs that aren't validated
- Combinations of settings that interact dangerously
- Environment variables that override security settings
Related Skills
ranbot-ai/nextjs-seo-indexing
testing
VerifiedTrustedCommunity
Fix SEO indexing issues, crawl budget problems, and Search Console coverage errors for Next.js apps. Covers canonical tags, noindex audits, sitemap health, static rendering, and internal linking.
5SKILL.mdUpdated Jun 2, 2026
ranbot-ai/moatmri
data-ai
VerifiedTrustedCommunity
Analyze AI disruption pressure across a business, map competitive exposure, and produce a 90-day defensive action plan.
5SKILL.mdUpdated Jun 2, 2026
ranbot-ai/skills/longbridge
tools
VerifiedTrustedCommunity
--- name: longbridge description: 125+ agent skills for Longbridge Securities — real-time quotes, charts, fundamentals, portfolio analysis, options, and more for HK/US/A-share/SG markets. Trilingual: Simplified Chinese, Traditional category: AI & Agents source: antigravity tags: [api, mcp, claude, ai, agent, security, cro] url: https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/longbridge --- # Longbridge ## Overview Longbridge is the official skill collection for Longbr
5SKILL.mdUpdated Jun 2, 2026
ranbot-ai/github-actions-advanced
tools
VerifiedTrustedCommunity
Design, debug, and harden GitHub Actions CI/CD workflows, including reusable workflows, matrix builds, self-hosted runners, OIDC authentication, caching, environments, secrets, and release automation.
5SKILL.mdUpdated Jun 2, 2026