This is the second sub-issue of #46 , and depends on #47 (the additional-skills directory reorganization).
Once the /sources/additional-skills/ directory exists, this issue tracks the creation of the full memory-safe-migration skill, including the SKILL.md, reference documents, and the static analysis assessment script.
Background
Memory safety vulnerabilities (buffer overflows, use-after-free, dangling pointers, double-free, data races) account for 60–70% of critical CVEs in major software projects. Government guidance has converged on memory-safe languages as the primary mitigation:
- CISA/NSA (2025): "Memory Safe Languages: Reducing Vulnerabilities in Modern Software Development"
- CISA (2023): "The Case for Memory Safe Roadmaps"
- White House ONCD (2024): "Back to the Building Blocks"
AI coding agents are accelerating software development but will default to whatever language the existing codebase uses — perpetuating memory-unsafe codebases unless given explicit guidance. This skill closes that gap.
Files to create
The following file structure should be created under /sources/additional-skills/memory-safe-migration/:
memory-safe-migration/
├── README.md
├── SKILL.md
├── references/
│ ├── assessment-checklist.md
│ ├── ffi-security.md
│ ├── language-selection.md
│ └── migration-patterns.md
└── scripts/
└── assess-migration.py
Content requirements per file
SKILL.md — Main skill following the [Agent Skills open standard](https://agentskills.io), with progressive disclosure. Must cover:
- Proactive prevention: when an agent is about to generate new C/C++ code, check whether a memory-safe alternative is viable and default to it
- CodeGuard unified source rule with YAML frontmatter
- Banned unsafe C functions (
gets, strcpy, strcat, sprintf, vsprintf) with safe replacements
- Rules for minimizing and documenting
unsafe blocks in Rust
- Input validation requirements at all FFI boundaries
- Memory ownership enforcement across FFI (allocator that created memory must free it)
- No panics across FFI boundaries
- Safe concurrency patterns
- Proper resource management in GC languages
references/language-selection.md — Decision matrix mapping use cases to recommended memory-safe languages:
- Rust: systems programming, cryptography, network stacks, embedded
- Go: services, CLI tools, DevOps tooling
- Java / C#: enterprise applications, backend services
- Swift: Apple platform development
references/ffi-security.md — FFI boundary security rules treating every interface between safe and unsafe code as a security boundary. Must cover input validation, memory ownership, panic safety, thread safety, and string encoding.
references/migration-patterns.md — Side-by-side C/C++ → Rust/Go/Java code examples for: buffers, strings, linked structures, concurrency, error handling, file I/O, and network servers.
references/assessment-checklist.md — Scored priority evaluation checklist covering: vulnerability history, network exposure surface, AI-accelerated risk, and migration feasibility factors.
scripts/assess-migration.py — Python static analysis script that analyzes C/C++ source files and produces a prioritized migration report. Must detect:
- Unsafe function usage (
gets, strcpy, sprintf, etc.)
- Pointer arithmetic
- Buffer declarations
- Network exposure patterns
- Concurrency patterns
- Cryptographic code
Must support both human-readable and JSON output for CI/CD integration.
Acceptance criteria
Dependencies
This is the second sub-issue of #46 , and depends on #47 (the
additional-skillsdirectory reorganization).Once the
/sources/additional-skills/directory exists, this issue tracks the creation of the fullmemory-safe-migrationskill, including theSKILL.md, reference documents, and the static analysis assessment script.Background
Memory safety vulnerabilities (buffer overflows, use-after-free, dangling pointers, double-free, data races) account for 60–70% of critical CVEs in major software projects. Government guidance has converged on memory-safe languages as the primary mitigation:
AI coding agents are accelerating software development but will default to whatever language the existing codebase uses — perpetuating memory-unsafe codebases unless given explicit guidance. This skill closes that gap.
Files to create
The following file structure should be created under
/sources/additional-skills/memory-safe-migration/:Content requirements per file
SKILL.md— Main skill following the [Agent Skills open standard](https://agentskills.io), with progressive disclosure. Must cover:gets,strcpy,strcat,sprintf,vsprintf) with safe replacementsunsafeblocks in Rustreferences/language-selection.md— Decision matrix mapping use cases to recommended memory-safe languages:references/ffi-security.md— FFI boundary security rules treating every interface between safe and unsafe code as a security boundary. Must cover input validation, memory ownership, panic safety, thread safety, and string encoding.references/migration-patterns.md— Side-by-side C/C++ → Rust/Go/Java code examples for: buffers, strings, linked structures, concurrency, error handling, file I/O, and network servers.references/assessment-checklist.md— Scored priority evaluation checklist covering: vulnerability history, network exposure surface, AI-accelerated risk, and migration feasibility factors.scripts/assess-migration.py— Python static analysis script that analyzes C/C++ source files and produces a prioritized migration report. Must detect:gets,strcpy,sprintf, etc.)Must support both human-readable and JSON output for CI/CD integration.
Acceptance criteria
/sources/additional-skills/memory-safe-migration/SKILL.mdfollows Agent Skills open standard format with YAML frontmatterassess-migration.pyruns without errors on a sample C/C++ codebase and produces valid JSON outputDependencies