security-patterns
SKILL.md
Security Patterns Skill
Security best practices and patterns for secure development.
See: code-examples.md for Python implementations See: templates.md for checklists and config templates
When This Activates
- API key handling
- User input validation
- File operations
- Security-sensitive code
- Keywords: "security", "api key", "secret", "validate", "input"
API Keys & Secrets
Environment Variables (REQUIRED)
Rule: Never hardcode secrets. Always use environment variables via .env files.
# ✅ CORRECT
api_key = os.getenv("ANTHROPIC_API_KEY")
# ❌ WRONG
api_key = "sk-ant-1234567890abcdef" # NEVER!
See: code-examples.md#api-keys--secrets for full validation code
Input Validation
Path Traversal Prevention
Rule: Always validate paths are within allowed directories.
# Use is_relative_to() to prevent ../ attacks
if not file_path.is_relative_to(base_dir):
raise ValueError("Path traversal detected")
Command Injection Prevention
Rule: Never use shell=True. Pass arguments as lists.
# ✅ CORRECT
subprocess.run([command] + args, shell=False)
# ❌ WRONG
subprocess.run(f"ls {user_input}", shell=True) # Injection risk!
SQL Injection Prevention
Rule: Always use parameterized queries.
# ✅ CORRECT
cursor.execute("SELECT * FROM users WHERE username = ?", (username,))
# ❌ WRONG
cursor.execute(f"SELECT * FROM users WHERE username = '{username}'")
See: code-examples.md#input-validation for complete examples
File Operations Security
Secure Permissions
| Use Case | Permission | Octal |
|---|---|---|
| Sensitive files | rw------- |
0o600 |
| Sensitive dirs | rwx------ |
0o700 |
| Public files | rw-r--r-- |
0o644 |
File Upload Validation
- Validate extensions (whitelist only)
- Check file size limits
- Reject executable files
See: code-examples.md#file-operations-security
Cryptographic Operations
Secure Random
Rule: Use secrets module for security-sensitive random values.
# ✅ CORRECT
token = secrets.token_hex(32)
# ❌ WRONG
token = str(random.randint(0, 999999)) # Not cryptographically secure!
See: code-examples.md#cryptographic-operations for password hashing
Logging Security
Rule: Never log full secrets. Mask sensitive values.
# ✅ CORRECT
masked_key = api_key[:7] + "***" + api_key[-4:]
logging.info(f"Using key {masked_key}")
# ❌ WRONG
logging.info(f"Using key {api_key}") # Exposes full key!
Dependencies Security
# Check for vulnerabilities
pip install safety && safety check
# OR
pip install pip-audit && pip-audit
Key Takeaways
- Never hardcode secrets - Use environment variables
- Validate all inputs - User data, file paths, commands
- Prevent path traversal - Use
is_relative_to() - No shell=True - Use list arguments with subprocess
- Parameterized queries - Never string interpolation
- Secure random - Use
secretsmodule - Restrict permissions - Files 0o600, dirs 0o700
- Mask secrets in logs - Show only first/last few chars
- Scan dependencies - Use safety/pip-audit
- .gitignore secrets - .env, *.key, *.pem
Related Files
- code-examples.md - Complete Python code examples
- templates.md - .env, .gitignore, and security checklists
OWASP Top 10 Quick Reference
Weekly Installs
16
Repository
akaszubski/auto…mous-devGitHub Stars
13
First Seen
Feb 19, 2026
Security Audits
Installed on
opencode16
gemini-cli16
claude-code16
github-copilot16
codex16
replit15