security-patternslisted

Security best practices covering API key management, input validation, injection prevention, and OWASP patterns. Use when handling secrets, user input, or security-sensitive code. TRIGGER when: security, API key, secret, input validation, injection, OWASP. DO NOT TRIGGER when: non-security code, styling, documentation, test scaffolding.
akaszubski/autonomous-dev · ★ 29 · AI & Automation · score 68

Install: claude install-skill akaszubski/autonomous-dev

# Security Patterns Skill Security best practices and patterns for secure development. **See:** [code-examples.md](code-examples.md) for Python implementations **See:** [templates.md](templates.md) for checklists and config templates ## When This Activates - API key handling - User input validation - File operations - Security-sensitive code - Keywords: "security", "api key", "secret", "validate", "input" --- ## API Keys & Secrets ### Environment Variables (REQUIRED) **Rule:** Never hardcode secrets. Always use environment variables via `.env` files. ```python # ✅ CORRECT api_key = os.getenv("ANTHROPIC_API_KEY") # ❌ WRONG api_key = "sk-ant-1234567890abcdef" # NEVER! ``` **See:** [code-examples.md#api-keys--secrets](code-examples.md#api-keys--secrets) for full validation code --- ## Input Validation ### Path Traversal Prevention **Rule:** Always validate paths are within allowed directories. ```python # Use is_relative_to() to prevent ../ attacks if not file_path.is_relative_to(base_dir): raise ValueError("Path traversal detected") ``` ### Command Injection Prevention **Rule:** Never use `shell=True`. Pass arguments as lists. ```python # ✅ CORRECT subprocess.run([command] + args, shell=False) # ❌ WRONG subprocess.run(f"ls {user_input}", shell=True) # Injection risk! ``` ### SQL Injection Prevention **Rule:** Always use parameterized queries. ```python # ✅ CORRECT cursor.execute("SELECT * FROM users WHERE username = ?", (username,)) # ❌ WRONG curso