# Security Audit of 6 Python Projects: 25 Issues Found & Fixed > Source: > Published: 2026-06-06 09:46:16+00:00 **Published on**: 2026-06-06 **Reading time**: 8 min **Tags**: #security #python #audit #devops Over 3 months, I developed and audited 6 Python projects (3 bots + 3 libraries): a FastAPI + Telegram Bot + LLM integration system. I discovered 25 security/code issues and fixed 23 immediately. **Problem**: Anthropic, Supabase, and Telegram API keys committed in `.env` file ``` # ❌ Exposed (visible in git log) ANTHROPIC_API_KEY=sk-ant-api03-xxxxxxxxxx SUPABASE_KEY=sb_publishable_xxxxxxxxxx ``` **Risk**: Anyone can access previous commits and steal API keys → resource abuse, data breach **Solution**: ``` # 1. Clean history with BFG bfg --delete-files ".env" --no-blob-protection . # 2. Remove from Git git rm --cached .env echo ".env" >> .gitignore # 3. Rotate API keys (mandatory) ``` **Problem**: `verify=False` used in 10 places ``` # ❌ Insecure response = requests.get(url, verify=False) # ✅ Secure response = requests.get(url, verify=True) # default ``` **Impact**: HTTPS man-in-the-middle attacks possible → sensitive data exposed **Problem**: `except Exception` silencing all errors (114 instances) ``` # ❌ No error tracking try: result = await db_select("contests") except Exception: print("failed") # What error? Unknown. # ✅ Specific handling try: result = await db_select("contests") except requests.HTTPError as e: logger.error(f"DB error: {e}", exc_info=True) raise ``` **Impact**: Production incidents hard to debug → increased MTTR `__init__.py` Files **Problem**: llm-router, supabase-async, telegram-agent had empty `__init__.py` ``` python # ❌ Before (empty file) # __init__.py # ✅ After from llm_router import LLMRouter __version__ = "0.1.0" __all__ = ["LLMRouter"] ``` **Impact**: Import failures after pip install DB operations in ai-insight-curator's processor.py were outside try block → exceptions unhandled `/contests?status=invalid&limit=999` accepted without checks| Metric | Value | |---|---| | New commits | 15 | | Files modified | 22 | | Code deleted | 347 lines | | Code added | 200 lines | | Tests passed | 91/91 files ✅ | `.env` to `.gitignore` before first commit`>=` )`HTTPError` , `ValueError` — never bare `Exception` **Urgent (24 hours)**: **High (1 week)**: `Exception` catches with specific types**Medium (2 weeks)**: **Ongoing**: **In 3 months: 23 issues found and fixed.** If we'd done security right from day one: **The most important step: Start now.** Every fix prevents future incidents.