security-antipatterns-python
3
总安装量
1
周安装量
#57871
全站排名
安装命令
npx skills add https://github.com/subhashdasyam/security-antipatterns-python --skill security-antipatterns-python
Agent 安装分布
claude-code
1
Skill 文档
Security Anti-Patterns Guard for Python
Overview
Code generation guard that prevents security vulnerabilities while writing Python web application code. Covers OWASP Top 10 Web (2021), OWASP API Security Top 10 (2023), with CWE references throughout.
Stack: Python, Django, Flask, FastAPI, SQLAlchemy, Pydantic
When to Activate
Activate when generating code that:
- Handles user input (forms, API requests, file uploads)
- Queries databases (SQL, ORM operations)
- Performs authentication or authorization
- Manages sessions or tokens
- Processes files or paths
- Serializes/deserializes data
- Uses cryptographic operations
- Executes system commands
Critical Rules (Top 10)
- NEVER use f-strings or
.format()in SQL queries – use parameterized queries or ORM - NEVER use
pickle.loads()on untrusted data – use JSON with schema validation - NEVER use
eval(),exec(), orcompile()on user input - NEVER use
os.system()orshell=Truewith user data – usesubprocess.run()with list args - NEVER use
yaml.load()– useyaml.safe_load() - NEVER hardcode secrets – use environment variables
- NEVER use
randomfor security – usesecretsmodule - NEVER use
md5orsha1for passwords – usebcryptorargon2 - NEVER trust user-supplied file paths – validate with
pathliband check resolved path - NEVER skip authorization checks – always verify user owns/can access the resource
Module Index
| Module | Focus | Key Vulnerabilities |
|---|---|---|
| references/injection.md | SQL, Command, Template, LDAP | CWE-89, CWE-78, CWE-90, CWE-1336 |
| references/deserialization.md | pickle, yaml, marshal | CWE-502 |
| references/xss-output.md | XSS, template escaping | CWE-79 |
| references/auth-access.md | BOLA, BFLA, sessions | CWE-862, CWE-863, CWE-287 |
| references/crypto-secrets.md | Secrets, hashing, encryption | CWE-798, CWE-327, CWE-916 |
| references/input-validation.md | Pydantic, forms, uploads | CWE-20, CWE-434, CWE-915 |
| references/file-operations.md | Path traversal, temp files | CWE-22, CWE-377 |
| references/django-security.md | CSRF, settings, ORM | Django-specific |
| references/fastapi-flask.md | Auth, CORS, validation | FastAPI/Flask-specific |
| references/dependencies.md | pip audit, typosquatting | CWE-1104, CWE-1357 |
| references/python-runtime.md | eval/exec, ReDoS | CWE-94, CWE-1333 |
Quick Decision Tree
User input involved?
ââ Database query â See references/injection.md (use ORM/parameterized)
ââ File path â See references/file-operations.md (use pathlib + resolve check)
ââ Command execution â See references/injection.md (subprocess with list args)
ââ Deserialization â See references/deserialization.md (NEVER pickle untrusted)
ââ Template rendering â See references/xss-output.md (auto-escape enabled)
ââ API endpoint â See references/auth-access.md + references/input-validation.md
Storing/generating secrets?
ââ API keys â See references/crypto-secrets.md (env vars)
ââ Passwords â See references/crypto-secrets.md (bcrypt/argon2)
ââ Tokens â See references/crypto-secrets.md (secrets module)
Framework-specific?
ââ Django â See references/django-security.md
ââ FastAPI â See references/fastapi-flask.md
ââ Flask â See references/fastapi-flask.md
How to Use This Skill
- During code generation: Reference relevant module for specific vulnerability patterns
- Code review: Check generated code against patterns in each module
- When uncertain: Default to the more secure option; add explicit comments explaining security decisions