Production hardening: security fixes, code quality, 724 skills complete

- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
This commit is contained in:
mukul975
2026-03-19 13:26:49 +01:00
parent 63b442d347
commit c47eed6a64
900 changed files with 23085 additions and 2720 deletions
@@ -6,7 +6,6 @@ import json
import os
import re
import subprocess
import sys
import sqlite3
from datetime import datetime, timezone
@@ -19,6 +18,8 @@ ANDROID_SENSITIVE_PATHS = [
"/sdcard/Android/data/{package}/",
]
_SAFE_TABLE_RE = re.compile(r'^[a-zA-Z_][a-zA-Z0-9_]*$')
SENSITIVE_PATTERNS = {
"api_key": re.compile(r'["\']?api[_-]?key["\']?\s*[:=]\s*["\']([^"\']+)', re.I),
"token": re.compile(r'["\']?(?:access|auth|bearer)[_-]?token["\']?\s*[:=]\s*["\']([^"\']+)', re.I),
@@ -70,7 +71,9 @@ def scan_sqlite_databases(db_dir):
cursor.execute("SELECT name FROM sqlite_master WHERE type='table'")
tables = cursor.fetchall()
for (table_name,) in tables:
cursor.execute(f"PRAGMA table_info({table_name})")
if not _SAFE_TABLE_RE.match(table_name):
continue
cursor.execute(f"PRAGMA table_info([{table_name}])")
columns = cursor.fetchall()
sensitive_cols = []
for col in columns:
@@ -79,7 +82,7 @@ def scan_sqlite_databases(db_dir):
if sf in col_name:
sensitive_cols.append(col[1])
if sensitive_cols:
cursor.execute(f"SELECT COUNT(*) FROM {table_name}")
cursor.execute(f"SELECT COUNT(*) FROM [{table_name}]")
row_count = cursor.fetchone()[0]
findings.append({
"file": fpath,
@@ -141,7 +144,7 @@ def main():
)
parser.add_argument("--scan-dir", help="Directory containing app data to scan")
parser.add_argument("--package", help="Android package name for ADB pull")
parser.add_argument("--pull-dir", default="/tmp/mobile_audit")
parser.add_argument("--pull-dir", default=os.environ.get("MOBILE_AUDIT_DIR", "/tmp/mobile_audit"))
parser.add_argument("--output", "-o", help="Output JSON report")
args = parser.parse_args()