Security Skill
Anti Reversing Techniques
Understand anti-reversing, obfuscation, and protection techniques encountered during software…
$15
Shell Security Hardening
Harden production Bash scripts against SQL injection, command injection, stdin bombing, race…
Harden production Bash scripts against the injection classes that quietly break shells: SQL injection through heredoc expansion, FTS5 query injection, command injection, stdin bombing, and TOCTOU race conditions. Built on real vulnerability data and battle-tested fix patterns, it layers defenses (input sanitization + literal expansion + file permissions + locking) so a single bypass can't reach your data. Turn fragile shell glue and CI/CD hooks into secure-by-default code.
$15 one-time
Add to a kit → Prices include 20% VAT. · Forged on real agency work · one-time, no lock-in
- Type Skill
- Category Security
- Delivery Email · instant
- License One-time
Inside the run · no black box
See the actual work before you buy it.
Every shell variable that touches a database is a potential injection. The hardening pass traces user input from stdin to sink, escapes SQL three layers deep, bounds every read, and finishes against a 10-point red team checklist.
- Trace every piece of user-controlled data from source to sink: stdin to variable to SQL or command; any hop without a sanitizer in between is a vulnerability candidate, that is the analysis frame for the whole script.
- Eliminate heredoc SQL entirely: sql_escape() plus a printf pipe writes variables literally into the query, so shell expansion can never smuggle a DROP TABLE through user input.
- Sanitize full-text search input separately: the FTS5 sanitizer strips quotes, wildcards, grouping and boolean operators (OR, AND, NOT, NEAR) that survive ordinary SQL escaping, three independent layers before the query runs.
- Bound and validate everything that enters: head -c caps stdin at a hard byte limit against memory bombing, and case patterns validate integers with a safe default fallback instead of trusting the caller.
- Close the file layer: flock for atomic locking against TOCTOU races, temp-plus-mv atomic writes, chmod 600 on database files, generic error messages that leak no paths, and pinned binary paths instead of whatever $PATH serves up.
- Review against the 10-point red team checklist (SQL and FTS5 injection, command injection, stdin limits, race conditions, permissions, info disclosure, platform differences between macOS and Linux) before the script ships.
One power source. 6 lines out.
shell-security-hardening · core
core active · 6 lines
- ✓ securing shell scripts t…
Securing shell scripts that query SQLite or PostgreSQL
- ✓ auditing existing scripts
Auditing existing scripts for injection vulnerabilities
- ✓ handling untrusted input
Handling untrusted input in CI/CD pipeline hooks
- ✓ safely building sql with…
Safely building SQL without heredoc variable expansion
- ✓ sanitizing fts5 full-text
Sanitizing FTS5 full-text search queries
- ✓ preventing stdin bombing
Preventing stdin bombing and DoS in long-running scripts
Yours to keep.
Drag time forward. Watch what stays.
Forever
That's what owning means.
The rented stack
ai writing tool: subscription
expired · access lostanalytics suite: subscription
expired · access lostdesign platform: subscription
expired · access lost(nothing left)
Your forge
-
Close SQL, FTS5, and command injection holes with proven sanitizer functions
license: perpetual -
Avoid silent failures from PATH-shadowed binaries by pinning tool paths
license: perpetual -
Survive crashes mid-write with atomic temp-and-rename file patterns
license: perpetual -
Fail securely: unknown or malformed input drops to a safe default, never executes
license: perpetual
subscriptions expire · deeds don't
Everything in the box.
Pick a piece up. Watch it work.
sql_escape() + printf-pipe pattern that replaces unsafe heredoc SQL
6 parts · one working system · ships instantly by email
This wasn't forged for everyone.
- Not for you if you'd rather rent a tool than own one.
- Not for you if you want someone else to run your stack.
- Not for you if you're happy guessing.
Engineers writing or reviewing production shell scripts that touch databases, untrusted input, or CI/CD pipelines.
then this was forged for you.Works with
Universal by design: these run in any AI. Delivered in the open Agent Skills + MCP format (native in Claude); ChatGPT, Gemini, Cursor and Copilot adapt the same files their own way.
- Claude Native format
- ChatGPT Adapts via open standards
- Gemini Adapts via open standards
- Cursor Adapts via open standards
- Copilot Adapts via open standards
Catch what's on your mind.
the air is clear. nothing between you and the forge.
catch a spark: the forge will answer
-
My scripts only run inside CI, never on user input, do I still need this?
CI/CD hooks are a listed use case precisely because they consume untrusted input: branch names, commit messages, and PR titles all flow into your shell. If a script ever interpolates an external string into SQL or a command, these patterns apply.
-
How does it stop SQL injection in Bash specifically?
It replaces heredoc SQL, where Bash expands variables before the database ever sees them, with a sql_escape() plus printf-pipe pattern, and adds fts5_sanitize() to strip MATCH operators from full-text queries. Defenses are layered with file permissions and flock locking so a single bypass cannot reach your data.
-
Will it scan my repo and report vulnerabilities automatically?
No. It is a hardening pattern library with a red-team review checklist, not an automated scanner; you apply the sanitizers and patterns to your scripts yourself. For automated linting, pair it with ShellCheck.
-
How is it delivered?
By email right after purchase: ready to run, downloaded instantly, no setup wait.
-
One-time or subscription?
A one-time purchase; no subscription or hidden fees. VAT (20%) is included.
-
Can I get a refund?
As a digital product, it can’t be refunded once downloaded. That’s why we show exactly what’s inside and who it’s for, right here.