home / skills / pluginagentmarketplace / custom-plugin-python / security

security skill

needs review

This skill helps you write secure Python code by applying OWASP-aligned practices, preventing vulnerabilities, and auditing dependencies.

npx playbooks add skill pluginagentmarketplace/custom-plugin-python --skill security

Review the files below or copy the command above to add this skill to your agents.

Files (6)

SKILL.md

1.3 KB

---
name: Security
description: Python security best practices, OWASP, and vulnerability prevention
version: "2.1.0"
sasmp_version: "1.3.0"
bonded_agent: 07-best-practices
bond_type: PRIMARY_BOND

# Skill Configuration
retry_strategy: exponential_backoff
observability:
  logging: true
  metrics: vulnerability_count
---

# Python Security Skill

## Overview
Implement secure Python code practices and protect applications from common vulnerabilities.

## Topics Covered

### Common Vulnerabilities
- SQL injection prevention
- Command injection
- Path traversal
- Deserialization attacks
- SSRF vulnerabilities

### Secure Coding
- Input validation
- Output encoding
- Secure file handling
- Secrets management
- Environment variables

### Authentication
- Password hashing (bcrypt, argon2)
- JWT implementation
- Session security
- OAuth integration
- API key management

### Dependency Security
- pip audit usage
- Safety scanner
- Snyk for Python
- Dependabot setup
- Vulnerability databases

### Security Testing
- Bandit static analysis
- Security unit tests
- Penetration testing basics
- SAST/DAST tools
- Code review checklist

## Prerequisites
- Python fundamentals
- Web development basics

## Learning Outcomes
- Write secure Python code
- Prevent common attacks
- Audit dependencies
- Implement authentication securely

Overview

This skill teaches practical Python security best practices and guided defenses against common vulnerabilities like SQL injection, SSRF, and deserialization attacks. It focuses on secure coding patterns, dependency auditing, and hardening authentication flows so you can reduce risk in real projects. Content is pragmatic and geared toward developers who already know Python and basic web concepts.

How this skill works

The skill inspects application layers and recommends concrete changes: input validation, output encoding, safe file and secret handling, and secure session/token handling. It also integrates dependency security tools (pip-audit, Safety, Snyk) and static analysis (Bandit) into a repeatable workflow for ongoing vulnerability detection. You get checklists, code patterns, and testing guidance to verify fixes and reduce false positives.

When to use it

When building or reviewing Python web services or APIs
Before releasing a new version to production
When onboarding external libraries or dependencies
When implementing authentication, sessions, or token flows
During security code reviews and pre-merge checks

Best practices

Validate and canonicalize all external input; use allowlists over blocklists
Use parameterized queries/ORMs to prevent SQL injection and avoid string-based commands
Hash passwords with Argon2 or bcrypt and protect secrets via environment variables or vaults
Run pip-audit/Safety and SAST tools in CI to catch dependency and code issues early
Avoid unsafe deserialization; enforce strict schemas and use proven libraries for parsing

Example use cases

Secure a Flask or FastAPI app by adding input validation, output encoding, and secure session cookies
Harden an authentication system: implement Argon2 password hashing and rotating JWT signing keys
Integrate pip-audit and Bandit into CI to block merges with high-severity findings
Audit a legacy codebase for command injection and path traversal issues and apply safe file handling patterns

FAQ

Is this skill suitable for beginners?

It assumes basic Python and web development knowledge; beginners can follow along but may need foundational learning first.

Which tools should I run in CI?

Run pip-audit or Safety for dependencies and Bandit for static code checks; optionally include Snyk or a commercial scanner for continuous monitoring.