一键导入
python-sast
Python static analysis using bandit. Identifies injection, deserialization, unsafe exec/eval, weak crypto, and hardcoded credentials in Python code.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Python static analysis using bandit. Identifies injection, deserialization, unsafe exec/eval, weak crypto, and hardcoded credentials in Python code.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Translate natural language image descriptions into detailed, structured DALL-E prompts with subject, style, composition, lighting, and mood specifications.
Decompose mathematical problems into sub-expressions, evaluate each one with the calculator tool, and present the full working chain. Handles arithmetic, trigonometry, logarithms, and financial formulas.
Compare two or more PDF documents by extracting targeted sections, building a structured comparison matrix, and highlighting differences with page references.
Extract structured data from web pages using browser snapshot and text tools, then process it into tables, comparisons, or summaries using Python.
Analyze endpoint latency trends using historical check data from memory. Detects slow degradation, spikes vs sustained issues, and calculates baseline deviations.
Validate API response structure and content. Detects schema drift, unexpected null values, and abnormal response sizes.
| name | python-sast |
| description | Python static analysis using bandit. Identifies injection, deserialization, unsafe exec/eval, weak crypto, and hardcoded credentials in Python code. |
| requires | {"bins":["bandit"]} |
Python static analysis skill using bandit.
Use this skill when the repository contains Python code: pyproject.toml, setup.py, requirements.txt, or .py files in the source tree.
bandit -r . -f json -ll --exclude .venv,tests,node_modules
The -ll flag filters to medium and higher confidence. The -f json flag
returns structured output for parsing.
Bandit JSON output has a results array. Each result contains:
filename -- path to the fileline_number -- line of the findingissue_severity -- HIGH, MEDIUM, LOWissue_confidence -- HIGH, MEDIUM, LOWissue_text -- description of the issuetest_id -- bandit test identifier (e.g. B301)| Test ID | Category |
|---|---|
| B101 | assert used (usually test-only) |
| B102 | exec() used |
| B301-B324 | Deserialization, SQL injection, unsafe YAML |
| B501-B507 | SSL/TLS issues |
| B601-B612 | Shell injection, subprocess |
For each finding:
eval() or exec() with non-constant argumentspickle.loads() on network or file inputyaml.load() without Loader=SafeLoadersubprocess with shell=True and string formatting (f"", .format(), %).format() using external inputassert statements in test files (B101)0.0.0.0 in development configshashlib used for checksums (not security hashing)subprocess with shell=True and hardcoded constant stringsrandom module used for non-security purposes (shuffling, sampling)