security-antipatterns-python

Use when generating Python code for web applications, APIs, or handling user input - prevents OWASP Top 10 vulnerabilities in Django, Flask, FastAPI

install

source · Clone the upstream repo

git clone https://github.com/subhashdasyam/security-antipatterns-python

Claude Code · Install into ~/.claude/skills/

git clone --depth=1 https://github.com/subhashdasyam/security-antipatterns-python ~/.claude/skills/subhashdasyam-security-antipatterns-python-security-antipatterns-python

manifest: SKILL.md

source content

Security Anti-Patterns Guard for Python

Overview

Code generation guard that prevents security vulnerabilities while writing Python web application code. Covers OWASP Top 10 Web (2021), OWASP API Security Top 10 (2023), with CWE references throughout.

Stack: Python, Django, Flask, FastAPI, SQLAlchemy, Pydantic

When to Activate

Activate when generating code that:

Handles user input (forms, API requests, file uploads)
Queries databases (SQL, ORM operations)
Performs authentication or authorization
Manages sessions or tokens
Processes files or paths
Serializes/deserializes data
Uses cryptographic operations
Executes system commands

Critical Rules (Top 10)

NEVER use f-strings or
```
.format()
```
in SQL queries - use parameterized queries or ORM
NEVER use
```
pickle.loads()
```
on untrusted data - use JSON with schema validation
NEVER use
```
eval()
```
,
```
exec()
```
, or
```
compile()
```
on user input
NEVER use
```
os.system()
```
or
```
shell=True
```
with user data - use
```
subprocess.run()
```
with list args
NEVER use
```
yaml.load()
```
- use
```
yaml.safe_load()
```
NEVER hardcode secrets - use environment variables
NEVER use
```
random
```
for security - use
```
secrets
```
module
NEVER use
```
md5
```
or
```
sha1
```
for passwords - use
```
bcrypt
```
or
```
argon2
```
NEVER trust user-supplied file paths - validate with
```
pathlib
```
and check resolved path
NEVER skip authorization checks - always verify user owns/can access the resource

Module Index

Module	Focus	Key Vulnerabilities
references/injection.md	SQL, Command, Template, LDAP	CWE-89, CWE-78, CWE-90, CWE-1336
references/deserialization.md	pickle, yaml, marshal	CWE-502
references/xss-output.md	XSS, template escaping	CWE-79
references/auth-access.md	BOLA, BFLA, sessions	CWE-862, CWE-863, CWE-287
references/crypto-secrets.md	Secrets, hashing, encryption	CWE-798, CWE-327, CWE-916
references/input-validation.md	Pydantic, forms, uploads	CWE-20, CWE-434, CWE-915
references/file-operations.md	Path traversal, temp files	CWE-22, CWE-377
references/django-security.md	CSRF, settings, ORM	Django-specific
references/fastapi-flask.md	Auth, CORS, validation	FastAPI/Flask-specific
references/dependencies.md	pip audit, typosquatting	CWE-1104, CWE-1357
references/python-runtime.md	eval/exec, ReDoS	CWE-94, CWE-1333

Quick Decision Tree

User input involved?
├─ Database query → See references/injection.md (use ORM/parameterized)
├─ File path → See references/file-operations.md (use pathlib + resolve check)
├─ Command execution → See references/injection.md (subprocess with list args)
├─ Deserialization → See references/deserialization.md (NEVER pickle untrusted)
├─ Template rendering → See references/xss-output.md (auto-escape enabled)
└─ API endpoint → See references/auth-access.md + references/input-validation.md

Storing/generating secrets?
├─ API keys → See references/crypto-secrets.md (env vars)
├─ Passwords → See references/crypto-secrets.md (bcrypt/argon2)
└─ Tokens → See references/crypto-secrets.md (secrets module)

Framework-specific?
├─ Django → See references/django-security.md
├─ FastAPI → See references/fastapi-flask.md
└─ Flask → See references/fastapi-flask.md

How to Use This Skill

During code generation: Reference relevant module for specific vulnerability patterns
Code review: Check generated code against patterns in each module
When uncertain: Default to the more secure option; add explicit comments explaining security decisions