enhance existing skills and add the message digest one

Author: righettod

.claude/skills/secure-archive-decompression/SKILL.md

@@ -22,6 +22,8 @@ Apply **all** rules below when generating or reviewing any code related to archi
 
 ```java
 // BAD: No validation is performed for any points
+String zipFilePath = "archive.zip";
+File   destDir     = new File("/output");
 try (ZipInputStream zis = new ZipInputStream(new FileInputStream(zipFilePath))) {
   ZipEntry entry;
   while ((entry = zis.getNextEntry()) != null) {
@@ -45,6 +47,8 @@ try (ZipInputStream zis = new ZipInputStream(new FileInputStream(zipFilePath)))
 }
 
 // GOOD: All the points are validated
+String zipFilePath     = "archive.zip";
+File   destDir         = new File("/output");
 int    entryCount      = 0;
 long   totalSize       = 0;
 int    MAX_ENTRIES     = 20;

.claude/skills/secure-csv-generation/SKILL.md

@@ -16,6 +16,8 @@ Apply **all** rules below when generating or reviewing any code related to Comma
 
 ```java
 // BAD: Content of fields are not validated to detect and disable any CSV injection
+  String     filePath = "output.csv";
+  String[][] rows     = {{"Name", "=CMD|' /C calc'!A0"}, {"Bob", "+1234"}};
   try (PrintWriter writer = new PrintWriter(new FileWriter(filePath))) {
           for (String[] row : rows) {
               StringBuilder sb = new StringBuilder();
@@ -31,6 +33,8 @@ Apply **all** rules below when generating or reviewing any code related to Comma
       }
 
 // GOOD: Dangerous characters used in CSV injection are prefixed to disable the injection
+  String     filePath = "output.csv";
+  String[][] rows     = {{"Name", "=CMD|' /C calc'!A0"}, {"Bob", "+1234"}};
   try (PrintWriter writer = new PrintWriter(new FileWriter(filePath))) {
             for (String[] row : rows) {
                 StringBuilder sb = new StringBuilder();

.claude/skills/secure-image-validation/SKILL.md

@@ -18,6 +18,7 @@ Apply **all** rules below when generating or reviewing any code related to valid
 
 ```java
 // BAD: No validation is applied
+File          file  = new File("image.png");
 BufferedImage image = ImageIO.read(file);
 if (image != null) {
     System.out.println("Image loaded successfully!");
@@ -123,12 +124,13 @@ Before finalizing generated code, verify:
 
 - [ ] The file is a real image file.
 - [ ] The image file has no content appended at the end of the image structure (concatenated file).
-- [ ] The image file was resized.
+- [ ] The image file was resized by removing 1px in width and 1px in height.
 
 ## References
 
 - [Example of a Payload Delivered Through Steganography from SANS](https://isc.sans.edu/diary/31892).
 - [Example of attack from Synacktiv](https://www.synacktiv.com/en/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there).
 - [A generator of weird files (binary polyglots, near polyglots, polymocks...) by Ange Albertini on GitHub](https://github.com/corkami/mitra).
 - [Image Payload Creating/Injecting tools on GitHub](https://github.com/sighook/pixload).
-- [Embed a payload inside a PNG file tools on GitHub](https://github.com/Maldev-Academy/EmbedPayloadInPng).
+- [Embed a payload inside a PNG file tools on GitHub](https://github.com/Maldev-Academy/EmbedPayloadInPng).
+- [File Upload Cheat Sheet from OWASP](https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html).

.claude/skills/secure-log-entry-generation/SKILL.md

@@ -19,7 +19,8 @@ Apply **all** rules below when generating or reviewing any code related to gener
 
 ```java
 // BAD: No validation is applied
-Logger logger = Logger.getLogger(Main.class.getName());
+String userControlledContent = request.getParameter("input");
+Logger logger                = Logger.getLogger(Main.class.getName());
 logger.info(userControlledContent);
 
 // GOOD: All points are applied

.claude/skills/secure-message-digest-generation/SKILL.md

@@ -0,0 +1,72 @@
+---
+name: secure-message-digest-generation
+description: Generate secure message digest (often called hash) generation code. Enforces secure generation of a message digest. Invoke when writing any message digest generation related code.
+allowed-tools: Read Grep Glob
+metadata:
+  category: security
+---
+
+# Secure Message Digest Code Generation Rules
+
+Apply **all** rules below when generating or reviewing any code related to message digest generation.
+
+## 1. Secure algorithm usage and hash collision prevention (CRITICAL)
+
+- ALWAYS ensure that the hashing algorithm used is the strongest that exists, from a cryptography perspective, at the moment at which the code is generated. In case of any doubt always use `SHA3-512` algorithm. 
+- ALWAYS ensure that the hashing algorithm used is post-quantum resistant.
+- ALWAYS ensure that each value used to create the digest is explicitly separated by the character `|` (appended after every value, even when only one value is provided) prior to the final concatenated value being provided to the hashing function.
+- ALWAYS encode the input string to bytes using the `UTF-8` charset explicitly — never rely on the platform default charset, as it may vary across environments and produce different digests for the same input.
+- ALWAYS convert null or empty values to an explicit empty string `""` before including them in the digest input — never skip or silently drop them, as omitting a value changes the digest in the same way a different value would.
+- ALWAYS encode the raw digest bytes as a lowercase hexadecimal string — never return raw bytes or use Base64, as hex is the canonical, human-readable, and interoperable representation for message digests.
+
+```java
+// BAD: Weak algorithm, platform charset, no separator, raw bytes returned
+public byte[] computeDigestInsecure(Object[] values) {
+    StringBuilder combined = new StringBuilder();
+    for (Object value : values) {
+        combined.append(value != null ? value.toString() : ""); // no separator — hash collision risk
+    }
+    MessageDigest md = MessageDigest.getInstance("SHA1"); // weak, not post-quantum resistant
+    byte[] hashBytes = md.digest(combined.toString().getBytes()); // platform default charset — non-deterministic
+    return hashBytes; // raw bytes — not hex-encoded
+}
+
+// GOOD: All rules applied
+public String computeDigestSecure(Object[] values) {
+    StringBuilder combined = new StringBuilder();
+    for (Object value : values) {
+        // Rule 5: explicit empty string for null/empty — never skip
+        combined.append((value == null || value.toString().isEmpty()) ? "" : value.toString());
+        // Rule 3: separator after every value, including single values
+        combined.append("|");
+    }
+    // Rule 1 & 2: SHA3-512 — strongest available, post-quantum resistant
+    MessageDigest md = MessageDigest.getInstance("SHA3-512");
+    // Rule 4: explicit UTF-8 — never rely on platform default
+    byte[] hashBytes = md.digest(combined.toString().getBytes(StandardCharsets.UTF_8));
+    // Rule 6: lowercase hex — canonical, human-readable, interoperable
+    String hexDigest = HexFormat.of().formatHex(hashBytes);
+    return hexDigest;
+}
+```
+
+## 2. Output Checklist
+
+Before finalizing generated code, verify:
+
+- [ ] The hashing algorithm used is the strongest that exists, from a cryptography perspective, at the moment at which the code is generated.
+- [ ] The hashing algorithm used is post-quantum resistant.
+- [ ] A separator character `|` is appended after each value (including single values) used to create the data provided to the hashing function.
+- [ ] The input string is encoded to bytes using the `UTF-8` charset explicitly, not the platform default.
+- [ ] Null or empty values are explicitly converted to an empty string `""` and included in the digest input — never skipped or dropped.
+- [ ] The digest output is encoded as a lowercase hexadecimal string — not returned as raw bytes or Base64.
+
+## References
+
+- [Post-Quantum Cryptography from NIST](https://csrc.nist.gov/projects/post-quantum-cryptography).
+- [SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions from NIST](https://csrc.nist.gov/pubs/fips/202/final).
+- [Flickr's API Signature Forgery Vulnerability from IOACTIVE](https://www.ioactive.com/wp-content/uploads/2012/08/flickr_api_signature_forgery.pdf).
+- [Everything you need to know about hash length extension attacks from SKULLSECURITY](https://www.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks).
+- [Cryptographic_Storage_Cheat_Sheet from OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html).
+- [Hexadecimal from Wikipedia](https://en.wikipedia.org/wiki/Hexadecimal).
+- [UTF-8 from Wikipedia](https://en.wikipedia.org/wiki/UTF-8).

.claude/skills/secure-xml-parsing/SKILL.md

@@ -43,7 +43,8 @@ Document doc = builder.parse(new File("data.xml"));
 
 Before finalizing generated code, verify:
 
-- [ ] DTD and External Entities are NOT resolved.
+- [ ] DTD resolution is NOT enabled.
+- [ ] External Entities (general and parameter) are NOT resolved.
 - [ ] Internal Entities are NOT replaced.
 - [ ] XInclude support is explicitly disabled.
 

CLAUDE.md

@@ -33,7 +33,7 @@ Every skill must have:
    - `ALWAYS …` rule statements (language-agnostic).
    - A Java BAD/GOOD code example illustrating every rule.
 3. A `## 2. Output Checklist` section with one checkbox per rule.
-4. A `## References` section linking to authoritative sources (OWASP, PortSwigger, etc.).
+4. A `## References` section linking to authoritative sources (OWASP, PortSwigger, NIST, ANSSI, SANS etc.).
 
 ### Rule quality checklist
 
@@ -43,14 +43,14 @@ Before adding or modifying a skill, verify:
 - Code examples cover every stated rule — no rule without corresponding code, no code without a matching rule.
 - Numeric limits (sizes, counts, depths) are identical in both the rule text and the code constants.
 - Code snippets declare all variables they use.
-- Security gaps covered: path/input validation, canonical path checks, symlink/hardlink protection where relevant.
+- Security gaps covered: No case is missing.
 - Skill follow a consistent `secure-<subject>-<action>` naming pattern.
 
 ## Validation
 
 To validate a skill using the built-in Claude command:
 
-```
+```text
 /validate-skill <skill-name>   # validate a single skill
 /validate-skill all            # validate all skills
 ```