← Back to Skills Marketplace

Flask

Name: Flask
Author: ivangdavila

by Iván · GitHub ↗ · v1.0.0

linuxdarwinwin32 ✓ Security Clean

1297

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install flask

Description

Avoid common Flask mistakes — context errors, circular imports, session configuration, and production gotchas.

README (SKILL.md)

Application Context

current_app only works inside request or with app.app_context() — "working outside application context" error
g is per-request storage — lost after request ends, use for db connections
Background tasks need context — with app.app_context(): or pass data, not proxies
create_app() factory pattern avoids circular imports — import current_app not app

Request Context

request, session only inside request — "working outside request context" error
url_for needs context — url_for('static', filename='x', _external=True) for absolute URLs
Test client provides context automatically — but manual context for non-request code

Circular Imports

from app import app in models causes circular — use factory pattern
Import inside function for late binding — or use current_app
Blueprints help organize — register at factory time, not import time
Extensions init with init_app(app) pattern — create without app, bind later

Sessions and Security

SECRET_KEY required for sessions — random bytes, not weak string
No SECRET_KEY = unsigned cookies — anyone can forge session data
SESSION_COOKIE_SECURE=True in production — only send over HTTPS
SESSION_COOKIE_HTTPONLY=True — JavaScript can't access

Debug Mode

debug=True in production = remote code execution — attacker can run Python
Use FLASK_DEBUG env var — not hardcoded
Debug PIN in logs if debug enabled — extra layer, but still dangerous

Blueprints

url_prefix set at registration — app.register_blueprint(bp, url_prefix='/api')
Blueprint routes relative to prefix — @bp.route('/users') becomes /api/users
blueprint.before_request only for that blueprint — app.before_request for all

SQLAlchemy Integration

db.session.commit() explicitly — autocommit not default
Session scoped to request by Flask-SQLAlchemy — but background tasks need own session
Detached object error — object from different session, refetch or merge
db.session.rollback() on error — or session stays in bad state

Production

flask run is dev server — use Gunicorn/uWSGI in production
threaded=True for dev server concurrency — but still not production-ready
Static files through nginx — Flask serving static is slow
PROPAGATE_EXCEPTIONS=True for proper error handling with Sentry etc.

Common Mistakes

return redirect('/login') vs return redirect(url_for('login')) — url_for is refactor-safe
JSON response: return jsonify(data) — not return json.dumps(data)
Form data in request.form — JSON body in request.json or request.get_json()
request.args for query params — request.args.get('page', default=1, type=int)

Usage Guidance

This skill is an instruction-only checklist for Flask best practices and does not request credentials or install code — it appears safe and coherent. If you install it, expect only guidance (no code execution). As a general precaution, only grant execution/autonomy to skills you trust; if a future version adds code files, external downloads, or requests credentials, re-evaluate before enabling it.

Capability Analysis

Type: OpenClaw Skill Name: flask Version: 1.0.0 The skill bundle provides educational content and best practices for Flask development, covering common mistakes, security considerations, and production deployment. The `SKILL.md` file contains no malicious instructions, data exfiltration attempts, or prompt injection techniques. Warnings about security risks (e.g., `debug=True` in production) are descriptive and educational, not prescriptive for malicious actions. All content aligns with the stated purpose of avoiding Flask mistakes.

Capability Assessment

✓ Purpose & Capability

Name/description (Flask best-practices) match the content: the SKILL.md contains explanations about contexts, blueprints, sessions, production deployment, and SQLAlchemy. The only required binary is python3, which is reasonable for a Flask-focused skill.

✓ Instruction Scope

SKILL.md is purely documentation and runtime guidance for Flask developers; it does not instruct the agent to read unrelated files, access environment variables, or transmit data to external endpoints.

✓ Install Mechanism

No install spec and no code files are present — lowest-risk, nothing will be written to disk or downloaded.

✓ Credentials

The skill requires no environment variables or credentials. The lack of requested secrets is proportionate to an advice/documentation skill.

✓ Persistence & Privilege

always is false and model invocation is allowed (default). The skill does not request persistent system presence, nor does it modify other skills or system settings.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install flask
After installation, invoke the skill by name or use /flask
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release

Metadata

Slug flask

Version 1.0.0

License —

All-time Installs 4

Active Installs 4

Total Versions 1

Frequently Asked Questions

What is Flask?

Avoid common Flask mistakes — context errors, circular imports, session configuration, and production gotchas. It is an AI Agent Skill for Claude Code / OpenClaw, with 1297 downloads so far.

How do I install Flask?

Run "/install flask" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Flask free?

Yes, Flask is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Flask support?

Flask is cross-platform and runs anywhere OpenClaw / Claude Code is available (linux, darwin, win32).

Who created Flask?

It is built and maintained by Iván (@ivangdavila); the current version is v1.0.0.

More Skills