Production hardening: security fixes, code quality, 724 skills complete

- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
This commit is contained in:
mukul975
2026-03-19 13:26:49 +01:00
parent 63b442d347
commit c47eed6a64
900 changed files with 23085 additions and 2720 deletions
@@ -1,4 +1,7 @@
#!/usr/bin/env python3
# For authorized penetration testing and educational environments only.
# Usage against targets without prior mutual consent is illegal.
# It is the end user's responsibility to obey all applicable local, state and federal laws.
"""Agent for thick client application penetration testing.
Performs static analysis (strings extraction, .NET detection),
@@ -6,7 +9,6 @@ dynamic analysis (process monitoring, DLL search order checks),
local storage auditing, and API traffic interception assessment.
"""
import subprocess
import json
import sys
import os
@@ -15,6 +17,8 @@ import sqlite3
from pathlib import Path
from datetime import datetime
_SAFE_TABLE_RE = re.compile(r'^[a-zA-Z_][a-zA-Z0-9_]*$')
class ThickClientPentestAgent:
"""Performs security assessment of thick/fat client applications."""
@@ -129,7 +133,9 @@ class ThickClientPentestAgent:
if any(kw in lower for kw in
["user", "account", "credential", "auth",
"login", "password", "token", "session"]):
cursor.execute(f'SELECT COUNT(*) FROM "{table}"')
if not _SAFE_TABLE_RE.match(table):
continue
cursor.execute(f"SELECT COUNT(*) FROM [{table}]")
count = cursor.fetchone()[0]
sensitive_tables.append({"table": table, "rows": count})