aiming-lab/secrets-management
memory_data/skills/secrets-management/SKILL.md
Use this skill when handling API keys, passwords, tokens, private keys, or any sensitive credential. Never hardcode secrets in source code — apply this whenever the word "key", "token", "password", or "secret" appears in the task.
$ install --global
skillsauthnpx skillsauth add aiming-lab/metaclaw secrets-managementInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 28, 2026, 2:57 PM48.7s1 file scanned
SKILL.md
- name:
- secrets-management
- description:
- Use this skill when handling API keys, passwords, tokens, private keys, or any sensitive credential. Never hardcode secrets in source code — apply this whenever the word "key", "token", "password", or "secret" appears in the task.
- category:
- security
Secrets Management
Rules:
- Never hardcode secrets in source files, configs committed to git, or logs.
- Use environment variables for local development (
python-dotenv). - Use a secrets manager (AWS Secrets Manager, HashiCorp Vault, 1Password CLI) in production.
- Add
.envand*.pemto.gitignorebefore the first commit. - Rotate secrets immediately if they are exposed (leaked in a commit, log, or error message).
Scanning: Use ggshield, truffleHog, or git-secrets in CI to block secret commits.
Anti-patterns:
os.environ.get('KEY', 'hardcoded_default')in production code.- Logging full request/response bodies that may contain tokens.
Related Skills
aiming-lab/visualization-selection
development
VerifiedTrustedCommunity
Use this skill when creating charts, plots, or dashboards. Choose the visualization type that best communicates the data relationship before writing any plotting code.
2,755SKILL.mdUpdated Mar 27, 2026
aiming-lab/verify-before-irreversible-action
testing
VerifiedTrustedCommunity
Use this skill before taking any action that is hard to reverse — deleting files, overwriting data, sending messages, pushing to remote, modifying production systems. Always pause, state what you are about to do, and confirm before executing.
2,755SKILL.mdUpdated Mar 27, 2026
aiming-lab/uncertainty-acknowledgment
research
VerifiedTrustedCommunity
Use this skill when you are not sure about a fact, have outdated knowledge, or the question is contested. Explicitly communicate the level of confidence instead of asserting uncertain things as fact.
2,755SKILL.mdUpdated Mar 27, 2026
aiming-lab/tool-selection-strategy
tools
VerifiedTrustedCommunity
Use this skill when deciding which tools to call in an agentic workflow. Always choose the minimal, most direct tool for each step and avoid redundant or speculative tool calls.
2,755SKILL.mdUpdated Mar 27, 2026