Awesome-omni-skills sharp-edges

Sharp Edges Analysis workflow skill. Use this skill when the user needs sharp-edges and the operator should preserve the upstream workflow, copied support files, and provenance before merging or handing off.

install

source · Clone the upstream repo

git clone https://github.com/diegosouzapw/awesome-omni-skills

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/diegosouzapw/awesome-omni-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/sharp-edges" ~/.claude/skills/diegosouzapw-awesome-omni-skills-sharp-edges && rm -rf "$T"

manifest: skills/sharp-edges/SKILL.md

Sharp Edges Analysis

Overview

This public intake copy packages

plugins/antigravity-awesome-skills-claude/skills/sharp-edges

from

https://github.com/sickn33/antigravity-awesome-skills

into the native Omni Skills editorial shape without hiding its origin.

Use it when the operator needs the upstream workflow, support files, and repository context to stay intact while the public validator and private enhancer continue their normal downstream flow.

This intake keeps the copied upstream files intact and uses

metadata.json

plus

ORIGIN.md

as the provenance anchor for review.

--- name: sharp-edges description: "Identifies error-prone APIs, dangerous configurations, and footgun designs that enable security mistakes. Use when reviewing API designs, configuration schemas, cryptographic library ergonomics, or evaluating whether code follows 'secure by... --- # Sharp Edges Analysis Evaluates whether APIs, configurations, and interfaces are resistant to developer misuse. Identifies designs where the "easy path" leads to insecurity.

Imported source sections that did not map cleanly to the public headings are still preserved below or in the support files. Notable imported sections: Rationalizations to Reject, Sharp Edge Categories, Severity Classification, Quality Checklist, Limitations.

When to Use This Skill

Use this section as the trigger filter. It should make the activation boundary explicit before the operator loads files, runs commands, or opens a pull request.

Reviewing API or library design decisions
Auditing configuration schemas for dangerous options
Evaluating cryptographic API ergonomics
Assessing authentication/authorization interfaces
Reviewing any code that exposes security-relevant choices to developers
Implementation bugs (use standard code review)

Operating Table

Situation	Start here	Why it matters
First-time use	`metadata.json`	Confirms repository, branch, commit, and imported path before touching the copied workflow
Provenance review	`ORIGIN.md`	Gives reviewers a plain-language audit trail for the imported source
Workflow execution	`SKILL.md`	Starts with the smallest copied file that materially changes execution
Supporting context	`SKILL.md`	Adds the next most relevant copied source file without loading the entire package
Handoff decision	`## Related Skills`	Helps the operator switch to a stronger native skill when the task drifts

Workflow

This workflow is intentionally editorial and operational at the same time. It keeps the imported source useful to the operator while still satisfying the public intake standards that feed the downstream enhancer flow.

Map security-relevant APIs: authentication, authorization, cryptography, session management, input validation
Identify developer choice points: Where can developers select algorithms, configure timeouts, choose modes?
Find configuration schemas: Environment variables, config files, constructor parameters
Zero/empty/null: What happens with 0, "", null, []?
Negative values: What does -1 mean? Infinite? Error?
Type confusion: Can different security concepts be swapped?
Default values: Is the default secure? Is it documented?

Imported Workflow Notes

Imported: Analysis Workflow

Phase 1: Surface Identification

Map security-relevant APIs: authentication, authorization, cryptography, session management, input validation
Identify developer choice points: Where can developers select algorithms, configure timeouts, choose modes?
Find configuration schemas: Environment variables, config files, constructor parameters

Phase 2: Edge Case Probing

For each choice point, ask:

Zero/empty/null: What happens with
```
0
```
,
```
""
```
,
```
null
```
,
```
[]
```
?
Negative values: What does
```
-1
```
mean? Infinite? Error?
Type confusion: Can different security concepts be swapped?
Default values: Is the default secure? Is it documented?
Error paths: What happens on invalid input? Silent acceptance?

Phase 3: Threat Modeling

Consider three adversaries:

The Scoundrel: Actively malicious developer or attacker controlling config
- Can they disable security via configuration?
- Can they downgrade algorithms?
- Can they inject malicious values?
The Lazy Developer: Copy-pastes examples, skips documentation
- Will the first example they find be secure?
- Is the path of least resistance secure?
- Do error messages guide toward secure usage?
The Confused Developer: Misunderstands the API
- Can they swap parameters without type errors?
- Can they use the wrong key/algorithm/mode by accident?
- Are failure modes obvious or silent?

Phase 4: Validate Findings

For each identified sharp edge:

Reproduce the misuse: Write minimal code demonstrating the footgun
Verify exploitability: Does the misuse create a real vulnerability?
Check documentation: Is the danger documented? (Documentation doesn't excuse bad design, but affects severity)
Test mitigations: Can the API be used safely with reasonable effort?

If a finding seems questionable, return to Phase 2 and probe more edge cases.

Imported: Rationalizations to Reject

Rationalization	Why It's Wrong	Required Action
"It's documented"	Developers don't read docs under deadline pressure	Make the secure choice the default or only option
"Advanced users need flexibility"	Flexibility creates footguns; most "advanced" usage is copy-paste	Provide safe high-level APIs; hide primitives
"It's the developer's responsibility"	Blame-shifting; you designed the footgun	Remove the footgun or make it impossible to misuse
"Nobody would actually do that"	Developers do everything imaginable under pressure	Assume maximum developer confusion
"It's just a configuration option"	Config is code; wrong configs ship to production	Validate configs; reject dangerous combinations
"We need backwards compatibility"	Insecure defaults can't be grandfather-claused	Deprecate loudly; force migration

Examples

Example 1: Ask for the upstream workflow directly

Use @sharp-edges to handle <task>. Start from the copied upstream workflow, load only the files that change the outcome, and keep provenance visible in the answer.

Explanation: This is the safest starting point when the operator needs the imported workflow, but not the entire repository.

Example 2: Ask for a provenance-grounded review

Review @sharp-edges against metadata.json and ORIGIN.md, then explain which copied upstream files you would load first and why.

Explanation: Use this before review or troubleshooting when you need a precise, auditable explanation of origin and file selection.

Example 3: Narrow the copied support files before execution

Use @sharp-edges for <task>. Load only the copied references, examples, or scripts that change the outcome, and name the files explicitly before proceeding.

Explanation: This keeps the skill aligned with progressive disclosure instead of loading the whole copied package by default.

Example 4: Build a reviewer packet

Review @sharp-edges using the copied upstream files plus provenance, then summarize any gaps before merge.

Explanation: This is useful when the PR is waiting for human review and you want a repeatable audit packet.

Best Practices

Treat the generated public skill as a reviewable packaging layer around the upstream repository. The goal is to keep provenance explicit and load only the copied source material that materially improves execution.

The pit of success: Secure usage should be the path of least resistance.
If developers must understand cryptography, read documentation carefully, or remember special rules to avoid vulnerabilities, the API has failed.
Keep the imported skill grounded in the upstream repository; do not invent steps that the source material cannot support.
Prefer the smallest useful set of support files so the workflow stays auditable and fast to review.
Keep provenance, source commit, and imported file paths visible in notes and PR descriptions.
Point directly at the copied upstream files that justify the workflow instead of relying on generic review boilerplate.
Treat generated examples as scaffolding; adapt them to the concrete task before execution.

Imported Operating Notes

Imported: Core Principle

The pit of success: Secure usage should be the path of least resistance. If developers must understand cryptography, read documentation carefully, or remember special rules to avoid vulnerabilities, the API has failed.

Troubleshooting

Problem: The operator skipped the imported context and answered too generically

Symptoms: The result ignores the upstream workflow in

plugins/antigravity-awesome-skills-claude/skills/sharp-edges

, fails to mention provenance, or does not use any copied source files at all. Solution: Re-open

metadata.json

ORIGIN.md

, and the most relevant copied upstream files. Load only the files that materially change the answer, then restate the provenance before continuing.

Problem: The imported workflow feels incomplete during review

Symptoms: Reviewers can see the generated

SKILL.md

, but they cannot quickly tell which references, examples, or scripts matter for the current task. Solution: Point at the exact copied references, examples, scripts, or assets that justify the path you took. If the gap is still real, record it in the PR instead of hiding it.

Problem: The task drifted into a different specialization

Symptoms: The imported skill starts in the right place, but the work turns into debugging, architecture, design, security, or release orchestration that a native skill handles better. Solution: Use the related skills section to hand off deliberately. Keep the imported provenance visible so the next skill inherits the right context instead of starting blind.

Related Skills

```
@server-management
```
- Use when the work is better handled by that native specialization after this imported skill establishes context.
```
@service-mesh-expert
```
- Use when the work is better handled by that native specialization after this imported skill establishes context.
```
@service-mesh-observability
```
- Use when the work is better handled by that native specialization after this imported skill establishes context.
```
@sexual-health-analyzer
```
- Use when the work is better handled by that native specialization after this imported skill establishes context.

Additional Resources

Use this support matrix and the linked files below as the operator packet for this imported skill. They should reflect real copied source material, not generic scaffolding.

Resource family	What it gives the reviewer	Example path
`references`	copied reference notes, guides, or background material from upstream	`references/n/a`
`examples`	worked examples or reusable prompts copied from upstream	`examples/n/a`
`scripts`	upstream helper scripts that change execution or validation	`scripts/n/a`
`agents`	routing or delegation notes that are genuinely part of the imported package	`agents/n/a`
`assets`	supporting assets or schemas copied from the source package	`assets/n/a`

Imported Reference Notes

Imported: References

By category:

Cryptographic APIs: See references/crypto-apis.md
Configuration Patterns: See references/config-patterns.md
Authentication/Session: See references/auth-patterns.md
Real-World Case Studies: See references/case-studies.md (OpenSSL, GMP, etc.)

By language (general footguns, not crypto-specific):

Language	Guide
C/C++	references/lang-c.md
Go	references/lang-go.md
Rust	references/lang-rust.md
Swift	references/lang-swift.md
Java	references/lang-java.md
Kotlin	references/lang-kotlin.md
C#	references/lang-csharp.md
PHP	references/lang-php.md
JavaScript/TypeScript	references/lang-javascript.md
Python	references/lang-python.md
Ruby	references/lang-ruby.md

See also references/language-specific.md for a combined quick reference.

Imported: Sharp Edge Categories

1. Algorithm/Mode Selection Footguns

APIs that let developers choose algorithms invite choosing wrong ones.

The JWT Pattern (canonical example):

Header specifies algorithm: attacker can set
```
"alg": "none"
```
to bypass signatures
Algorithm confusion: RSA public key used as HMAC secret when switching RS256→HS256
Root cause: Letting untrusted input control security-critical decisions

Detection patterns:

Function parameters like
```
algorithm
```
,
```
mode
```
,
```
cipher
```
,
```
hash_type
```
Enums/strings selecting cryptographic primitives
Configuration options for security mechanisms

Example - PHP password_hash allowing weak algorithms:

// DANGEROUS: allows crc32, md5, sha1
password_hash($password, PASSWORD_DEFAULT); // Good - no choice
hash($algorithm, $password); // BAD: accepts "crc32"

2. Dangerous Defaults

Defaults that are insecure, or zero/empty values that disable security.

The OTP Lifetime Pattern:

# What happens when lifetime=0?
def verify_otp(code, lifetime=300):  # 300 seconds default
    if lifetime == 0:
        return True  # OOPS: 0 means "accept all"?
        # Or does it mean "expired immediately"?

Detection patterns:

Timeouts/lifetimes that accept 0 (infinite? immediate expiry?)
Empty strings that bypass checks
Null values that skip validation
Boolean defaults that disable security features
Negative values with undefined semantics

Questions to ask:

What happens with
```
timeout=0
```
?
```
max_attempts=0
```
?
```
key=""
```
?
Is the default the most secure option?
Can any default value disable security entirely?

3. Primitive vs. Semantic APIs

APIs that expose raw bytes instead of meaningful types invite type confusion.

The Libsodium vs. Halite Pattern:

// Libsodium (primitives): bytes are bytes
sodium_crypto_box($message, $nonce, $keypair);
// Easy to: swap nonce/keypair, reuse nonces, use wrong key type

// Halite (semantic): types enforce correct usage
Crypto::seal($message, new EncryptionPublicKey($key));
// Wrong key type = type error, not silent failure

Detection patterns:

Functions taking
```
bytes
```
,
```
string
```
,
```
[]byte
```
for distinct security concepts
Parameters that could be swapped without type errors
Same type used for keys, nonces, ciphertexts, signatures

The comparison footgun:

// Timing-safe comparison looks identical to unsafe
if hmac == expected { }           // BAD: timing attack
if hmac.Equal(mac, expected) { }  // Good: constant-time
// Same types, different security properties

4. Configuration Cliffs

One wrong setting creates catastrophic failure, with no warning.

Detection patterns:

Boolean flags that disable security entirely
String configs that aren't validated
Combinations of settings that interact dangerously
Environment variables that override security settings
Constructor parameters with sensible defaults but no validation (callers can override with insecure values)

Examples:

# One typo = disaster
verify_ssl: fasle  # Typo silently accepted as truthy?

# Magic values
session_timeout: -1  # Does this mean "never expire"?

# Dangerous combinations accepted silently
auth_required: true
bypass_auth_for_health_checks: true
health_check_path: "/"  # Oops

// Sensible default doesn't protect against bad callers
public function __construct(
    public string $hashAlgo = 'sha256',  // Good default...
    public int $otpLifetime = 120,       // ...but accepts md5, 0, etc.
) {}

See config-patterns.md for detailed patterns.

5. Silent Failures

Errors that don't surface, or success that masks failure.

Detection patterns:

Functions returning booleans instead of throwing on security failures
Empty catch blocks around security operations
Default values substituted on parse errors
Verification functions that "succeed" on malformed input

Examples:

# Silent bypass
def verify_signature(sig, data, key):
    if not key:
        return True  # No key = skip verification?!

# Return value ignored
signature.verify(data, sig)  # Throws on failure
crypto.verify(data, sig)     # Returns False on failure
# Developer forgets to check return value

6. Stringly-Typed Security

Security-critical values as plain strings enable injection and confusion.

Detection patterns:

SQL/commands built from string concatenation
Permissions as comma-separated strings
Roles/scopes as arbitrary strings instead of enums
URLs constructed by joining strings

The permission accumulation footgun:

permissions = "read,write"
permissions += ",admin"  # Too easy to escalate

# vs. type-safe
permissions = {Permission.READ, Permission.WRITE}
permissions.add(Permission.ADMIN)  # At least it's explicit

Imported: Severity Classification

Severity	Criteria	Examples
Critical	Default or obvious usage is insecure	`verify: false` default; empty password allowed
High	Easy misconfiguration breaks security	Algorithm parameter accepts "none"
Medium	Unusual but possible misconfiguration	Negative timeout has unexpected meaning
Low	Requires deliberate misuse	Obscure parameter combination

Imported: Quality Checklist

Before concluding analysis:

Probed all zero/empty/null edge cases
Verified defaults are secure
Checked for algorithm/mode selection footguns
Tested type confusion between security concepts
Considered all three adversary types
Verified error paths don't bypass security
Checked configuration validation
Constructor params validated (not just defaulted) - see config-patterns.md

Imported: Limitations

Use this skill only when the task clearly matches the scope described above.
Do not treat the output as a substitute for environment-specific validation, testing, or expert review.
Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.