Security Anti-Patterns Guard for Python

Overview

Code generation guard that prevents security vulnerabilities while writing Python web application code. Covers OWASP Top 10 Web (2021), OWASP API Security Top 10 (2023), with CWE references throughout.

Stack: Python, Django, Flask, FastAPI, SQLAlchemy, Pydantic

When to Activate

Activate when generating code that:

Handles user input (forms, API requests, file uploads)
Queries databases (SQL, ORM operations)
Performs authentication or authorization
Manages sessions or tokens
Processes files or paths
Serializes/deserializes data
Uses cryptographic operations
Executes system commands

Critical Rules (Top 10)

NEVER use f-strings or .format() in SQL queries - use parameterized queries or ORM
NEVER use pickle.loads() on untrusted data - use JSON with schema validation
NEVER use eval(), exec(), or compile() on user input
NEVER use os.system() or shell=True with user data - use subprocess.run() with list args
NEVER use yaml.load() - use yaml.safe_load()
NEVER hardcode secrets - use environment variables
NEVER use random for security - use secrets module
NEVER use md5 or sha1 for passwords - use bcrypt or argon2
NEVER trust user-supplied file paths - validate with pathlib and check resolved path
NEVER skip authorization checks - always verify user owns/can access the resource

Module Index

Module	Focus	Key Vulnerabilities
references/injection.md	SQL, Command, Template, LDAP	CWE-89, CWE-78, CWE-90, CWE-1336
references/deserialization.md	pickle, yaml, marshal	CWE-502
references/xss-output.md	XSS, template escaping	CWE-79
references/auth-access.md	BOLA, BFLA, sessions	CWE-862, CWE-863, CWE-287
references/crypto-secrets.md	Secrets, hashing, encryption	CWE-798, CWE-327, CWE-916
references/input-validation.md	Pydantic, forms, uploads	CWE-20, CWE-434, CWE-915
references/file-operations.md	Path traversal, temp files	CWE-22, CWE-377
references/django-security.md	CSRF, settings, ORM	Django-specific
references/fastapi-flask.md	Auth, CORS, validation	FastAPI/Flask-specific
references/dependencies.md	pip audit, typosquatting	CWE-1104, CWE-1357
references/python-runtime.md	eval/exec, ReDoS	CWE-94, CWE-1333

Quick Decision Tree

User input involved?
├─ Database query → See references/injection.md (use ORM/parameterized)
├─ File path → See references/file-operations.md (use pathlib + resolve check)
├─ Command execution → See references/injection.md (subprocess with list args)
├─ Deserialization → See references/deserialization.md (NEVER pickle untrusted)
├─ Template rendering → See references/xss-output.md (auto-escape enabled)
└─ API endpoint → See references/auth-access.md + references/input-validation.md

Storing/generating secrets?
├─ API keys → See references/crypto-secrets.md (env vars)
├─ Passwords → See references/crypto-secrets.md (bcrypt/argon2)
└─ Tokens → See references/crypto-secrets.md (secrets module)

Framework-specific?
├─ Django → See references/django-security.md
├─ FastAPI → See references/fastapi-flask.md
└─ Flask → See references/fastapi-flask.md

How to Use This Skill

During code generation: Reference relevant module for specific vulnerability patterns
Code review: Check generated code against patterns in each module
When uncertain: Default to the more secure option; add explicit comments explaining security decisions

security-antipatterns-python

Safety Notice

Copy this and send it to your AI assistant to learn

Security Anti-Patterns Guard for Python

Overview

When to Activate

Critical Rules (Top 10)

Module Index

Quick Decision Tree

How to Use This Skill

Sources

Source Transparency

Related Skills

Auto Security Audit

web-recon

Trent OpenClaw Security