AI coding agents write insecure code. Not maliciously - they just optimize for "works" over "safe." This skill fixes that.
Ask Claude, Codex, or any AI to build a login form. You'll probably get something like:
# AI-generated code - looks fine, isn't
query = f"SELECT * FROM users WHERE email = '{email}'"
cursor.execute(query) # SQL injection waiting to happenThe AI didn't know better. It generated statistically likely Python code. Unfortunately, statistically likely often means copied from Stack Overflow circa 2015.
This skill teaches the AI to catch these patterns and fix them before they hit your codebase.
11 modules covering OWASP Top 10 Web and API vulnerabilities:
| Module | What it prevents |
|---|---|
| injection.md | SQL injection, command injection, template injection |
| deserialization.md | pickle attacks, unsafe yaml.load |
| xss-output.md | Cross-site scripting, missing template escaping |
| auth-access.md | Broken access control, BOLA, session issues |
| crypto-secrets.md | Weak hashing, hardcoded secrets, bad randomness |
| input-validation.md | Missing validation, file upload attacks, mass assignment |
| file-operations.md | Path traversal, temp file races |
| django-security.md | CSRF bypass, unsafe settings, ORM gotchas |
| fastapi-flask.md | Auth patterns, CORS misconfiguration |
| dependencies.md | Supply chain attacks, typosquatting |
| python-runtime.md | eval/exec dangers, ReDoS |
- Never f-strings in SQL. Use parameterized queries.
- Never
pickle.loads()on untrusted data. Use JSON. - Never
yaml.load(). Useyaml.safe_load(). - Never
os.system()with user input. Usesubprocess.run()with a list. - Never
randomfor security. Usesecrets. - Never MD5/SHA1 for passwords. Use bcrypt or argon2.
Each module has bad and good examples so you can see exactly what to avoid.
| Platform | Status |
|---|---|
| Claude Code | Works |
| OpenAI Codex | Works |
| Google Antigravity | Works |
| Warp | Works |
| VS Code Copilot | Works |
This skill follows the Agent Skills open standard. If your AI tool supports skills, this works.
Clone to your skills directory:
git clone https://github.com/subhashdasyam/security-antipatterns-python ~/.claude/skills/security-antipatterns-pythonOr for a specific project, clone to .claude/skills/ in the repo.
mkdir -p ~/.codex/skills
ln -s $(pwd) ~/.codex/skills/security-antipatterns-pythonmkdir -p ~/.antigravity/skills
ln -s $(pwd) ~/.antigravity/skills/security-antipatterns-pythonCopy to ~/.warp/skills/ or configure the skill path in Warp settings.
Copy the skill folder to .github/skills/ in your project.
Copy or symlink this folder to wherever your AI tool looks for skills. The format is standard - it should just work.
The skill kicks in when you're generating:
- Django views or ORM queries
- Flask routes
- FastAPI endpoints
- SQLAlchemy queries
- File handling code
- Authentication or session logic
- Anything deserializing external data
MIT