cd /news/ai-safety/security-audit-of-6-python-projects-… · home topics ai-safety article
[ARTICLE · art-23275] src=dev.to pub= topic=ai-safety verified=true sentiment=· neutral

Security Audit of 6 Python Projects: 25 Issues Found & Fixed

A developer audited six Python projects—three bots and three libraries—over three months, uncovering 25 security and code issues, 23 of which were fixed immediately. Critical problems included exposed API keys for Anthropic, Supabase, and Telegram in committed `.env` files, `verify=False` in 10 HTTP request locations enabling man-in-the-middle attacks, and 114 instances of bare `except Exception` blocks that silenced errors and hindered debugging. The fixes involved cleaning git history, rotating keys, enforcing HTTPS verification, and replacing generic exception handlers with specific types like `HTTPError` and `ValueError`.

read2 min publishedJun 6, 2026

Published on: 2026-06-06

Reading time: 8 min

Tags: #security #python #audit #devops

Over 3 months, I developed and audited 6 Python projects (3 bots + 3 libraries): a FastAPI + Telegram Bot + LLM integration system. I discovered 25 security/code issues and fixed 23 immediately.

Problem: Anthropic, Supabase, and Telegram API keys committed in .env

file

ANTHROPIC_API_KEY=sk-ant-api03-xxxxxxxxxx
SUPABASE_KEY=sb_publishable_xxxxxxxxxx

Risk: Anyone can access previous commits and steal API keys → resource abuse, data breach

Solution:

bfg --delete-files ".env" --no-blob-protection .

git rm --cached .env
echo ".env" >> .gitignore

Problem: verify=False

used in 10 places

response = requests.get(url, verify=False)

response = requests.get(url, verify=True)  # default

Impact: HTTPS man-in-the-middle attacks possible → sensitive data exposed

Problem: except Exception

silencing all errors (114 instances)

try:
    result = await db_select("contests")
except Exception:
    print("failed")  # What error? Unknown.

try:
    result = await db_select("contests")
except requests.HTTPError as e:
    logger.error(f"DB error: {e}", exc_info=True)
    raise

Impact: Production incidents hard to debug → increased MTTR

__init__.py

Files Problem: llm-router, supabase-async, telegram-agent had empty __init__.py


from llm_router import LLMRouter
__version__ = "0.1.0"
__all__ = ["LLMRouter"]

Impact: Import failures after pip install

DB operations in ai-insight-curator's processor.py were outside try block → exceptions unhandled

/contests?status=invalid&limit=999

accepted without checks| Metric | Value | |---|---| | New commits | 15 | | Files modified | 22 | | Code deleted | 347 lines | | Code added | 200 lines | | Tests passed | 91/91 files ✅ |

.env

to .gitignore

before first commit>=

)HTTPError

, ValueError

— never bare Exception

Urgent (24 hours):

High (1 week):

Exception

catches with specific typesMedium (2 weeks):

Ongoing:

In 3 months: 23 issues found and fixed.

If we'd done security right from day one:

The most important step: Start now. Every fix prevents future incidents.

source & further reading
dev.to — original article Why Most AI Content Pipelines Fail at Scale (And How to Fix It) 5 Principles of Survival for Software Engineers An OpenAI-Compatible Gateway for Codex Is Mostly About Cost Control
── more in #ai-safety 4 stories · sorted by recency
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/security-audit-of-6-…] indexed:0 read:2min 2026-06-06 ·