[NEW SKILL] tenant-clone-environment-binding-review

[JeremyZeng77]

Proposed Skill

Skill name: tenant-clone-environment-binding-review
Category: config
Severity: medium

What It Detects

Tenant or workspace clone features can carry production trust into derived environments when identity, integrations, and protected data are copied without strong environment rebinding.

Why This Skill Is Needed

Clone features are convenient for testing and migration, but they frequently smuggle live trust assumptions into the wrong place. A dedicated skill would help reviewers inspect clone-time security boundaries explicitly.

Detection Approach

Trace clone request, source selection, data filtering, integration rebinding, identity mapping, and post-clone access. Review copied secrets, retained webhooks, stale URLs, and whether production-only trust survives in derived environments.

Languages / Frameworks

• Tenant clone workflows
• Environment duplication and sandbox creation systems

Example Vulnerable Code

A cloned environment inherits live integration trust or sensitive data bindings from production because the clone workflow did not re-scope or scrub high-risk dependencies.

Example Remediation

Classify clone as a security-sensitive environment transition, scrub or regenerate trust artifacts by default, and require explicit handling for any production-bound dependency or protected dataset.

References

• OWASP ASVS
• NIST SP 800-53
• Environment cloning and data minimization guidance

Estimated Complexity

• Standard ($200) — Well-known vuln class, single language, straightforward detection
• Intermediate ($350) — Multiple languages/frameworks, nuanced detection logic
• Complex ($500) — Novel detection approach, comprehensive coverage, low FP rate

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: PayPal https://paypal.me/Jeremytsangchina

---

Wait for maintainer approval before starting implementation. We'll confirm scope and expected bounty tier within 48 hours.