cryptolint

v1.0.1

Cryptography misuse & weak algorithm detector -- detects deprecated algorithms, hardcoded keys/IVs, ECB mode, weak random number generation, timing-vulnerabl...

⭐ 0· 87·0 current·0 all-time

by@suhteevah

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for suhteevah/cryptolint.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "cryptolint" (suhteevah/cryptolint) from ClawHub.
Skill page: https://clawhub.ai/suhteevah/cryptolint
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: git, bash, python3, jq
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install cryptolint

ClawHub CLI

Package manager switcher

npx clawhub@latest install cryptolint

Security Scan

Capability signals

CryptoRequires walletRequires sensitive credentials

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The code, SKILL.md, and files implement a local cryptography linter with git-hook integration (lefthook). Required binaries (git, bash, python3, jq) and the brew lefthook install are coherent with the stated purpose. However, the runtime code reads ~/.openclaw/openclaw.json for a stored license key while the registry 'Required config paths' lists none — this mismatch should be corrected or explained.

✓

Instruction Scope

Runtime instructions and scripts operate locally: discover files, run grep-based regex patterns, compute scores, and optionally install git hooks. The dispatcher and analyzer source only local files and do not contact external endpoints. They do modify repository configuration (append or create lefthook.yml) when installing hooks — this is expected for git-hook integration but is a repository-modifying action the user should be aware of.

✓

Install Mechanism

Install uses a Homebrew formula (lefthook) which is a standard package manager path and low risk. There are no URL-based downloads or archive extraction in the skill's install spec.

Credentials

Primary credential CRYPTOLINT_LICENSE_KEY is appropriate for a paid tier. However, license.sh looks for and reads ~/.openclaw/openclaw.json (not declared in registry metadata), and may use an undeclared env var CLAWHUB_JWT_SECRET for optional JWT signature verification. The skill will try multiple local tools (python3/node/jq/openssl) to parse that config and validate tokens. These extra reads/variables should have been declared in registry metadata.

✓

Persistence & Privilege

The skill is not always:true and does not request system-wide persistent privileges. It can install git hooks which modify a repo's lefthook.yml (user-invoked action). It does not modify other skills or global agent settings beyond reading the OpenClaw config and optionally writing/altering repo lefthook.yml during hook installation.

What to consider before installing

What to check before installing: - This skill is local-only and implements a sensible cryptography linter, but it will look for a stored license in ~/.openclaw/openclaw.json and will accept CRYPTOLINT_LICENSE_KEY via env var. The registry metadata did not list that config path — confirm you are comfortable with the skill reading that file before installing. - The license module optionally uses CLAWHUB_JWT_SECRET (not declared) to verify JWT signatures; only set that env var if you understand its purpose. - Installing hooks will create/append a lefthook.yml in your repository and run lefthook install — test in a disposable repo first if you don’t want immediate repo changes. - If you will provide a license key, prefer setting it per-session rather than storing it permanently, or inspect ~/.openclaw/openclaw.json to confirm where keys will be saved. - Overall the code appears coherent with its stated purpose, but the undeclared config/env usage and repo-modifying hook install are reasons to review the files and configuration choices before use.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔐 Clawdis

OSmacOS · Linux · Windows

Binsgit, bash, python3, jq

Primary envCRYPTOLINT_LICENSE_KEY

Install

Install lefthook (git hooks manager)

Bins: lefthook

brew install lefthook

latestvk97597vyydfc32fyth83qff18s84vmqf

87downloads

0stars

2versions

Updated 1w ago

v1.0.1

MIT-0

macOS, Linux, Windows

CryptoLint -- Cryptography Misuse & Weak Algorithm Detector

CryptoLint scans codebases for cryptographic anti-patterns, deprecated algorithms (MD5, SHA-1, DES, RC4), hardcoded keys and IVs, insecure encryption modes (ECB), weak random number generation, timing-vulnerable comparisons, and insecure TLS/SSL configuration. It uses regex-based pattern matching against 90 cryptography-specific patterns across 6 categories, lefthook for git hook integration, and produces markdown reports with actionable remediation guidance. 100% local. Zero telemetry.

Commands

Free Tier (No license required)

`cryptolint scan [file|directory]`

One-shot cryptography quality scan of files or directories.

How to execute:

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target]

What it does:

Accepts a file path or directory (defaults to current directory)
Discovers all source files (skips .git, node_modules, binaries, images, .min.js)
Runs 30 cryptography patterns against each file (free tier limit)
Calculates a crypto quality score (0-100) per file and overall
Grades: A (90-100), B (80-89), C (70-79), D (60-69), F (<60)
Outputs findings with: file, line number, check ID, severity, description, recommendation
Exit code 0 if score >= 70, exit code 1 if crypto quality is poor
Free tier limited to first 30 patterns (WA + KM categories)

Example usage scenarios:

"Scan my code for crypto issues" -> runs cryptolint scan .
"Check this file for weak algorithms" -> runs cryptolint scan src/crypto.ts
"Find hardcoded encryption keys" -> runs cryptolint scan src/
"Audit cryptography usage in my project" -> runs cryptolint scan .
"Check for MD5 or SHA1 usage" -> runs cryptolint scan .

Pro Tier ($19/user/month -- requires CRYPTOLINT_LICENSE_KEY)

`cryptolint scan --tier pro [file|directory]`

Extended scan with 60 patterns covering weak algorithms, key management, encryption modes, and random number generation.

How to execute:

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target] --tier pro

What it does:

Validates Pro+ license
Runs 60 cryptography patterns (WA, KM, EM, RN categories)
Detects insecure encryption modes (ECB, CBC without auth)
Identifies weak random number generation for crypto
Full category breakdown reporting

`cryptolint scan --format json [directory]`

Generate JSON output for CI/CD integration.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format json

`cryptolint scan --format html [directory]`

Generate HTML report for browser viewing.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format html

`cryptolint scan --category WA [directory]`

Filter scan to a specific check category (WA, KM, EM, RN, TC, CP).

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --category WA

Team Tier ($39/user/month -- requires CRYPTOLINT_LICENSE_KEY with team tier)

`cryptolint scan --tier team [directory]`

Full scan with all 90 patterns across all 6 categories including timing attacks and certificate/protocol checks.

How to execute:

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --tier team

What it does:

Validates Team+ license
Runs all 90 patterns across 6 categories
Includes timing & comparison checks (timing side-channels, non-constant-time comparison)
Includes certificate & protocol checks (TLS verification disabled, insecure protocols)
Full category breakdown with per-file results

`cryptolint scan --verbose [directory]`

Verbose output showing every matched line and pattern details.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --verbose

`cryptolint status`

Show license and configuration information.

bash "<SKILL_DIR>/scripts/dispatcher.sh" status

Check Categories

CryptoLint detects 90 cryptographic anti-patterns across 6 categories:

Category	Code	Patterns	Description	Severity Range
Weak Algorithms	WA	15	MD5, SHA-1, DES, 3DES, RC4, Blowfish, weak PBKDF2 iterations, deprecated TLS versions	high -- critical
Key Management	KM	15	Hardcoded encryption keys, static IVs/salts, short keys, keys in source code, zero IVs	high -- critical
Encryption Modes	EM	15	ECB mode, CBC without authentication, raw RSA without padding, deprecated createCipher	medium -- critical
Random Number Generation	RN	15	Math.random() for security, java.util.Random for crypto, time-seeded RNG, predictable seeds	high -- critical
Timing & Comparison	TC	15	String equality for hashes, == for HMAC, non-constant-time comparisons, early-return timing leaks	medium -- high
Certificate & Protocol	CP	15	SSL/TLS verification disabled, hostname check bypassed, insecure protocol versions, HTTP in auth	high -- critical

Tier-Based Pattern Access

Tier	Patterns	Categories
Free	30	WA, KM
Pro	60	WA, KM, EM, RN
Team	90	WA, KM, EM, RN, TC, CP
Enterprise	90	WA, KM, EM, RN, TC, CP + priority support

Scoring

CryptoLint uses a deductive scoring system starting at 100 (perfect):

Severity	Point Deduction	Description
Critical	-25 per finding	Broken algorithm or direct cryptographic vulnerability
High	-15 per finding	Significant cryptographic weakness (deprecated algo, weak key)
Medium	-8 per finding	Suboptimal practice (CBC without auth, weak mode choice)
Low	-3 per finding	Informational / best practice suggestion

Grading Scale

Grade	Score Range	Meaning
A	90-100	Excellent cryptography practices
B	80-89	Good crypto with minor issues
C	70-79	Acceptable but needs improvement
D	60-69	Poor cryptography quality
F	Below 60	Critical cryptography problems

Pass threshold: 70 (Grade C or better)
Exit code 0 = pass (score >= 70)
Exit code 1 = fail (score < 70)

Configuration

Users can configure CryptoLint in ~/.openclaw/openclaw.json:

{
  "skills": {
    "entries": {
      "cryptolint": {
        "enabled": true,
        "apiKey": "YOUR_LICENSE_KEY_HERE",
        "config": {
          "severityThreshold": "medium",
          "ignorePatterns": ["**/test/**", "**/fixtures/**", "**/*.test.*"],
          "ignoreChecks": [],
          "reportFormat": "text"
        }
      }
    }
  }
}

Important Notes

Free tier works immediately with no configuration
All scanning happens locally -- no code is sent to external servers
License validation is offline -- no phone-home or network calls
Pattern matching only -- no AST parsing, no external dependencies beyond bash
Supports scanning all file types in a single pass
Git hooks use lefthook which must be installed (see install metadata above)
Exit codes: 0 = pass (score >= 70), 1 = fail (for CI/CD integration)
Output formats: text (default), json, html

Error Handling

If lefthook is not installed and user tries hooks, prompt to install it
If license key is invalid or expired, show clear message with link to https://cryptolint.pages.dev/renew
If a file is binary, skip it automatically with no warning
If no scannable files found in target, report clean scan with info message
If an invalid category is specified with --category, show available categories

When to Use CryptoLint

The user might say things like:

"Scan my code for crypto issues"
"Check my cryptography usage"
"Find weak algorithms in my code"
"Detect hardcoded encryption keys"
"Are there any MD5 or SHA1 uses?"
"Check for insecure encryption modes"
"Audit my TLS configuration"
"Find ECB mode usage"
"Check for timing attack vulnerabilities"
"Scan for weak random number generation"
"Run a cryptography audit"
"Generate a crypto quality report"
"Check if Math.random is used for security"
"Find hardcoded IVs and salts"
"Check my code for crypto anti-patterns"

Comments

Loading comments...