security-insecure-defaults
Insecure Defaults Detection
When to Use
- Auditing application or framework default configurations
- Reviewing deployment configs (Docker, Kubernetes, cloud)
- Checking for debug modes, default credentials, or open endpoints in production
- Hardening new service deployments
- Reviewing infrastructure-as-code for permissive defaults
When NOT to Use
- Runtime vulnerability scanning (use DAST tools)
- Source code logic bugs (use static analysis)
- Network-level security testing
Common Insecure Defaults by Category
Web Frameworks
| Default | Risk | Fix |
|---|---|---|
DEBUG=True |
Stack traces leak internals | Ensure DEBUG=False in production |
Default SECRET_KEY |
Session forgery, CSRF bypass | Generate cryptographically random key |
CORS Allow-Origin: * |
Cross-origin data theft | Restrict to known origins |
| No CSRF protection | State-changing request forgery | Enable CSRF middleware |
| Verbose error pages | Information disclosure | Use generic error pages in production |
Databases
| Default | Risk | Fix |
|---|---|---|
| No authentication | Unauthorized access | Enable auth; set strong passwords |
Bind to 0.0.0.0 |
Network exposure | Bind to 127.0.0.1 or Unix socket |
| Default ports | Easy discovery | Use non-standard ports (defense in depth) |
| No encryption at rest | Data exposure if disk stolen | Enable encryption |
Cloud / Infrastructure
| Default | Risk | Fix |
|---|---|---|
| Public S3 buckets | Data leak | Block public access at account level |
| Default VPC security groups | Overly permissive ingress | Least-privilege security groups |
| IMDSv1 enabled | SSRF to credential theft | Require IMDSv2 |
| No log retention | Forensic blind spots | Enable CloudTrail/audit logging |
Detection Approach
# Search for common insecure defaults
grep -rn "DEBUG.*=.*True\|debug.*=.*true" --include="*.py" --include="*.yaml" .
grep -rn "SECRET_KEY.*=.*['\"]\(changeme\|secret\|default\)" .
grep -rn "0\.0\.0\.0\|ALLOW_ALL\|AllowAny\|\*\.\*\.\*\.\*" .
grep -rn "password.*=.*['\"]\(admin\|root\|password\|123\)" .
Hardening Workflow
- Inventory all configuration files and environment variables
- Compare against framework security documentation
- Check for debug/development settings in production configs
- Verify secrets are externalized (not hardcoded)
- Validate network binding and access control settings
- Review cloud IAM policies for overly broad permissions
- Document deviations from secure defaults with justification
More from elizaos/eliza
nano-pdf
Edits PDF files using natural-language instructions via the nano-pdf CLI. Supports modifying text, changing titles, fixing typos, and updating content on specific pages. Use when the user wants to edit a PDF, modify PDF content, update PDF text, fix a typo in a PDF, change a PDF title, or rewrite part of a PDF page.
30wacli
Send WhatsApp messages to other people or search/sync WhatsApp history via the wacli CLI (not for normal user chats). Use when the user asks to send a WhatsApp message, text someone on WhatsApp, search WhatsApp chat history, sync WhatsApp conversations, backfill message history, or forward a file via WhatsApp to a third party.
27nano-banana-pro
Generate or edit images via Gemini 3 Pro Image (Nano Banana Pro). Use when the user asks to create an image, generate a picture, produce AI-generated artwork, edit a photo, compose multiple images, or upscale an image to higher resolution. Supports text-to-image generation, single-image editing, and multi-image composition using the Gemini API.
27obsidian
Work with Obsidian vaults (plain Markdown notes) and automate via obsidian-cli. Use when the user asks about notes, vault management, PKM, knowledge base organization, wikilinks, or personal knowledge management in Obsidian.
25session-logs
Search and analyze session logs (older/parent conversations) stored as JSONL files using jq and rg. Use when the user asks about prior chats, previous conversations, conversation history, what was said before, session costs, token usage, or tool usage breakdown across past sessions.
24discord
Use when you need to control Discord from Otto via the discord tool: send messages, react, post or upload stickers, upload emojis, run polls, manage threads/pins/search, create/edit/delete channels and categories, fetch permissions or member/role/channel info, set bot presence/activity, or handle moderation actions in Discord DMs or channels.
24