Production hardening: security fixes, code quality, 724 skills complete

- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
This commit is contained in:
mukul975
2026-03-19 13:26:49 +01:00
parent 63b442d347
commit c47eed6a64
900 changed files with 23085 additions and 2720 deletions
@@ -6,7 +6,6 @@ import argparse
import logging
import subprocess
from datetime import datetime
from collections import defaultdict
logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)
@@ -56,7 +55,7 @@ def check_esp_controls(target_ip=None):
findings = []
if target_ip:
cmd = ["nmap", "-sS", "-p", "1-1024", "--open", target_ip, "-oX", "-"]
result = subprocess.run(cmd, capture_output=True, text=True)
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
open_ports = result.stdout.count("state=\"open\"")
if open_ports > 10:
findings.append({"control": "CIP-005", "issue": f"{open_ports} open ports on ESP boundary",
@@ -68,13 +67,13 @@ def check_system_hardening():
"""Check CIP-007 system hardening controls."""
findings = []
svc_cmd = ["systemctl", "list-units", "--type=service", "--state=running", "--no-pager"]
result = subprocess.run(svc_cmd, capture_output=True, text=True)
result = subprocess.run(svc_cmd, capture_output=True, text=True, timeout=120)
service_count = len([l for l in result.stdout.split("\n") if ".service" in l])
if service_count > 50:
findings.append({"control": "CIP-007-R1", "issue": f"{service_count} running services (minimize unused)",
"severity": "medium"})
patch_cmd = ["apt", "list", "--upgradable"] if subprocess.run(["which", "apt"], capture_output=True).returncode == 0 else ["yum", "check-update"]
result = subprocess.run(patch_cmd, capture_output=True, text=True)
patch_cmd = ["apt", "list", "--upgradable"] if subprocess.run(["which", "apt"], capture_output=True, timeout=120).returncode == 0 else ["yum", "check-update"]
result = subprocess.run(patch_cmd, capture_output=True, text=True, timeout=120)
pending = len([l for l in result.stdout.split("\n") if l.strip() and not l.startswith("Listing")])
if pending > 0:
findings.append({"control": "CIP-007-R2", "issue": f"{pending} pending security patches",