Security Audit of 6 Python Projects: 25 Issues Found & Fixed

A developer audited six Python projects—three bots and three libraries—over three months, uncovering 25 security and code issues, 23 of which were fixed immediately. Critical problems included exposed API keys for Anthropic, Supabase, and Telegram in committed `.env` files, `verify=False` in 10 HTTP request locations enabling man-in-the-middle attacks, and 114 instances of bare `except Exception` blocks that silenced errors and hindered debugging. The fixes involved cleaning git history, rotating keys, enforcing HTTPS verification, and replacing generic exception handlers with specific types like `HTTPError` and `ValueError`.

Published on : 2026-06-06 Reading time : 8 min Tags : security python audit devops Over 3 months, I developed and audited 6 Python projects 3 bots + 3 libraries : a FastAPI + Telegram Bot + LLM integration system. I discovered 25 security/code issues and fixed 23 immediately. Problem : Anthropic, Supabase, and Telegram API keys committed in .env file ❌ Exposed visible in git log ANTHROPIC API KEY=sk-ant-api03-xxxxxxxxxx SUPABASE KEY=sb publishable xxxxxxxxxx Risk : Anyone can access previous commits and steal API keys → resource abuse, data breach Solution : 1. Clean history with BFG bfg --delete-files ".env" --no-blob-protection . 2. Remove from Git git rm --cached .env echo ".env" .gitignore 3. Rotate API keys mandatory Problem : verify=False used in 10 places ❌ Insecure response = requests.get url, verify=False ✅ Secure response = requests.get url, verify=True default Impact : HTTPS man-in-the-middle attacks possible → sensitive data exposed Problem : except Exception silencing all errors 114 instances ❌ No error tracking try: result = await db select "contests" except Exception: print "failed" What error? Unknown. ✅ Specific handling try: result = await db select "contests" except requests.HTTPError as e: logger.error f"DB error: {e}", exc info=True raise Impact : Production incidents hard to debug → increased MTTR init .py Files Problem : llm-router, supabase-async, telegram-agent had empty init .py python ❌ Before empty file init .py ✅ After from llm router import LLMRouter version = "0.1.0" all = "LLMRouter" Impact : Import failures after pip install DB operations in ai-insight-curator's processor.py were outside try block → exceptions unhandled /contests?status=invalid&limit=999 accepted without checks| Metric | Value | |---|---| | New commits | 15 | | Files modified | 22 | | Code deleted | 347 lines | | Code added | 200 lines | | Tests passed | 91/91 files ✅ | .env to .gitignore before first commit = HTTPError , ValueError — never bare Exception Urgent 24 hours : High 1 week : Exception catches with specific types Medium 2 weeks : Ongoing : In 3 months: 23 issues found and fixed. If we'd done security right from day one: The most important step: Start now. Every fix prevents future incidents.