Yogendra Sisodia

Use this skill whenever you need to audit, test, or fix Authentication Failures (OWASP A07:2025) in Python web applications — especially FastAPI and Flask. Triggers include: any mention of JWT security, session management, brute force protection, credential stuffing, password policy, MFA enforcement, login rate limiting, session fixation, token validation, or auth-related error messages. Also trigger for requests to "check authentication", "audit login flows", "test auth security", "find auth bugs", or any task involving CWEs: CWE-287, CWE-307, CWE-384, CWE-521, CWE-798, CWE-613. Use proactively whenever the user shares auth-related code (routes, middleware, decorators, token handlers) even if they haven't explicitly mentioned security testing.

Security testing skill for A01:2025 Broken Access Control — the #1 OWASP risk for two consecutive cycles. Use this skill whenever the user asks about: access control vulnerabilities, IDOR (insecure direct object references), authorization bugs, SSRF testing, CORS misconfiguration, privilege escalation, JWT/session manipulation, CSRF protection, or auditing FastAPI/Flask endpoints for missing auth guards. Also trigger when the user says "test my API for access control", "check authorization", "find IDOR bugs", "review permissions", "audit my routes", or mentions CWE-284, CWE-285, CWE-352, CWE-639, CWE-862, or CWE-918.

Detect, audit, and remediate A04:2025 Cryptographic Failures in Python web applications (FastAPI and Flask). Use this skill whenever the user asks about crypto security, password hashing, JWT configuration, TLS/SSL verification, weak randomness, hardcoded secrets, or any code using hashlib, random, ssl, jwt, passlib, or cryptography modules. Also trigger when the user wants to audit security, scan for OWASP A04 issues, fix crypto bugs, or review authentication-related cryptographic code. If there's any chance a crypto weakness is involved — trigger this skill.

Expert Python security testing skill for OWASP A05:2025 — Injection vulnerabilities in FastAPI and Flask applications. Use this skill whenever the user asks about: SQL injection, XSS, SSTI (Server-Side Template Injection), OS command injection, ORM injection, LLM prompt injection, input validation, parameterized queries, Jinja2 escaping, or any untrusted data reaching an interpreter (database, OS shell, template engine, or browser). Also trigger for security audits, pen testing, Bandit SAST scans, code review for injection flaws, or any request to "find injection bugs", "check for SQLi", "audit my Flask/FastAPI app", or "scan for command injection". This skill has the highest CVE count of all OWASP categories (62,445) — always apply it proactively when reviewing Python web application security.

Detect, analyze, and remediate OWASP A06:2025 Insecure Design vulnerabilities in Python web applications (FastAPI and Flask). Use this skill whenever the user asks about architecture-level security flaws, threat modeling, rate limiting gaps, business logic vulnerabilities, insecure file uploads, race conditions, tenant isolation failures, or client-side enforcement of server-side security. Trigger even if the user doesn't say "Insecure Design" explicitly — common signals include: "missing rate limiting", "file upload security", "business logic flaw", "race condition", "multi-tenant isolation", "threat modeling", "STRIDE", "design review", or "can users abuse this flow". Also trigger for code reviews or audits where architecture-level security controls are being evaluated, not just implementation bugs.

Detect, analyze, and remediate OWASP A10:2025 — Mishandling of Exceptional Conditions in Python web applications (FastAPI and Flask). Use this skill whenever the user asks about error handling security, exception management, fail-open vulnerabilities, stack trace exposure, uncaught exceptions, transaction rollback safety, or resource leaks in exception paths. Also trigger for any OWASP A10 audit, security code review involving try/except blocks, global exception handlers, or HTTP error responses that may leak sensitive information. If the user mentions CWE-209, CWE-248, CWE-636, CWE-703, CWE-754, or CWE-476 in a Python context, use this skill immediately.

Use this skill whenever auditing, reviewing, or testing Python web applications (FastAPI or Flask) for OWASP A09:2025 — Security Logging & Alerting Failures. Trigger this skill when the user mentions: logging security, audit trails, log injection, sensitive data in logs, alerting gaps, insufficient logging, SIEM integration, log monitoring, incident detection readiness, or any request to audit or fix logging/alerting in a Python backend. Also trigger when a user asks "are we logging the right things?", "how do I detect attacks?", or "what should we be alerting on?". Do NOT skip this skill just because the request sounds simple — log-related security issues are consistently underestimated and require systematic coverage across all five CWEs.

Detect, audit, and remediate Security Misconfiguration vulnerabilities (OWASP A02:2025) in Python web applications — especially FastAPI and Flask. Use this skill whenever a user asks about: hardening a Python/FastAPI/Flask app, checking for debug mode leaks, missing security headers, exposed API docs, hardcoded secrets, insecure cookie flags, XXE vulnerabilities, or any OWASP A02 misconfiguration issue. Also trigger for tasks like "security audit", "pen test prep", "production checklist", "find misconfigs", or "harden my app". This skill covers static analysis patterns, runtime checks, tooling (Bandit, OWASP ZAP), and remediation code snippets for each sub-category of misconfiguration.

Security testing skill for OWASP A08:2025 — Software or Data Integrity Failures in Python web applications (FastAPI and Flask). Use this skill whenever the user wants to audit, detect, test, or fix integrity vulnerabilities including: insecure deserialization (pickle, yaml, jsonpickle, dill), mass assignment flaws, untrusted CDN/module inclusion, unsigned updates, CI/CD pipeline integrity, or Subresource Integrity (SRI) checks. Trigger this skill for ANY task involving pickle/deserialization security, CWE-502, CWE-915, CWE-829, CWE-345, or CWE-494, even if the user doesn't explicitly mention OWASP A08.

Expert guidance on detecting, assessing, and remediating Software Supply Chain Failures (OWASP A03:2025) in Python applications — the highest-exploit-score category in the 2025 OWASP Top 10. Use this skill whenever the user mentions dependency scanning, vulnerable packages, SBOMs, pip-audit, safety check, lockfile integrity, hash pinning, transitive dependencies, CI/CD pipeline security, compromised packages, supply chain attacks (SolarWinds, Log4Shell, typosquatting), or requests a security review of requirements.txt / pyproject.toml. Also trigger for any question about CWE-1104, CWE-1395, or CWE-1329.