Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

pratos/sops-secret-editor

Name: sops-secret-editor
Author: pratos

skills/sops-secret-editor/SKILL.md

npx skillsauth add pratos/clanker-setup sops-secret-editor

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Sops Secret Editor

Activation

When this skill is triggered, ALWAYS display this banner first:

╭─────────────────────────────────────────────────────────────╮
│  🔐 SKILL ACTIVATED: sops-secret-editor                     │
├─────────────────────────────────────────────────────────────┤
│  Action: Safely write encrypted secrets via sops            │
│  Output: Updated secrets file + redacted summary            │
╰─────────────────────────────────────────────────────────────╯

When to Use

"add secrets via sops"
"update encrypted secrets"
"sops set"
"store credentials in sops"
"put this secret in secrets.yaml"
"add new api key in sops"

Inputs to Collect

Target secrets file path (default: nixpkgs/secrets/secrets.yaml)
Age key file path (default: ~/.config/sops/age/keys.txt)
List of secrets to update (multiple allowed):
- Key path (slash-separated, e.g., fpl/email)
- Secret value (never echo back)
Confirm yolo mode (apply all updates in one run without extra prompts)

Workflow / How to Run

Confirm defaults
- Secrets file: nixpkgs/secrets/secrets.yaml
- Age key file: ~/.config/sops/age/keys.txt
Validate prerequisites
- Verify the secrets file exists.
- Verify the age key file exists.
- Set SOPS_AGE_KEY_FILE before running sops.
Convert key paths to JSON indices
- fpl/email → ["fpl"]["email"]
- aws/credentials → ["aws"]["credentials"]
Apply updates (yolo mode)
- Use nix run nixpkgs#sops -- set --value-stdin for each secret.
- Always JSON-encode values before passing to sops.
- Run multiple updates in one session.

Example (multi-secret, safe stdin + JSON encoding):

set -euo pipefail
export SOPS_AGE_KEY_FILE="$HOME/.config/sops/age/keys.txt"
secrets_file="nixpkgs/secrets/secrets.yaml"

# Repeat per secret (no echo; JSON-encode via python)
read -s FPL_EMAIL
printf '%s' "$FPL_EMAIL" | python3 - <<'PY' | nix run nixpkgs#sops -- set --value-stdin "$secrets_file" '["fpl"]["email"]'
import json, sys
print(json.dumps(sys.stdin.read()))
PY

read -s FPL_PASSWORD
printf '%s' "$FPL_PASSWORD" | python3 - <<'PY' | nix run nixpkgs#sops -- set --value-stdin "$secrets_file" '["fpl"]["password"]'
import json, sys
print(json.dumps(sys.stdin.read()))
PY

Report results (redacted)
- Summarize only the keys updated and the target file path.
- Do not print or log secret values.

Output Format

Confirmation that the secrets file was updated.
List of updated keys (paths only, no values).
Any errors encountered (redact sensitive data).

Safety Rules

Never echo or log secret values.
Never print decrypted files.
Always use --value-stdin and JSON encoding.
Do not store secrets in files, commits, or shell history.
Stop immediately if sops cannot decrypt the file (missing age key).

Success Criteria

Requested keys are updated in nixpkgs/secrets/secrets.yaml.
No secret values are exposed in output or logs.
sops exits successfully for every update.

pratos/sops-secret-editor

skills/sops-secret-editor/SKILL.md

Allows pi or any agent to put secrets safely via sops.

11 stars

data-ai

Updated May 20, 2026

$ install --global

skillsauth

npx skillsauth add pratos/clanker-setup sops-secret-editor

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 20, 2026, 6:53 AM191.8s1 file scanned

SKILL.md

name:: sops-secret-editor
description:: Allows pi or any agent to put secrets safely via sops.

Sops Secret Editor

Activation

When this skill is triggered, ALWAYS display this banner first:

╭─────────────────────────────────────────────────────────────╮
│  🔐 SKILL ACTIVATED: sops-secret-editor                     │
├─────────────────────────────────────────────────────────────┤
│  Action: Safely write encrypted secrets via sops            │
│  Output: Updated secrets file + redacted summary            │
╰─────────────────────────────────────────────────────────────╯

When to Use

"add secrets via sops"
"update encrypted secrets"
"sops set"
"store credentials in sops"
"put this secret in secrets.yaml"
"add new api key in sops"

Inputs to Collect

Target secrets file path (default: nixpkgs/secrets/secrets.yaml)
Age key file path (default: ~/.config/sops/age/keys.txt)
List of secrets to update (multiple allowed):
- Key path (slash-separated, e.g., fpl/email)
- Secret value (never echo back)
Confirm yolo mode (apply all updates in one run without extra prompts)

Workflow / How to Run

Confirm defaults
- Secrets file: nixpkgs/secrets/secrets.yaml
- Age key file: ~/.config/sops/age/keys.txt
Validate prerequisites
- Verify the secrets file exists.
- Verify the age key file exists.
- Set SOPS_AGE_KEY_FILE before running sops.
Convert key paths to JSON indices
- fpl/email → ["fpl"]["email"]
- aws/credentials → ["aws"]["credentials"]
Apply updates (yolo mode)
- Use nix run nixpkgs#sops -- set --value-stdin for each secret.
- Always JSON-encode values before passing to sops.
- Run multiple updates in one session.

Example (multi-secret, safe stdin + JSON encoding):

set -euo pipefail
export SOPS_AGE_KEY_FILE="$HOME/.config/sops/age/keys.txt"
secrets_file="nixpkgs/secrets/secrets.yaml"

# Repeat per secret (no echo; JSON-encode via python)
read -s FPL_EMAIL
printf '%s' "$FPL_EMAIL" | python3 - <<'PY' | nix run nixpkgs#sops -- set --value-stdin "$secrets_file" '["fpl"]["email"]'
import json, sys
print(json.dumps(sys.stdin.read()))
PY

read -s FPL_PASSWORD
printf '%s' "$FPL_PASSWORD" | python3 - <<'PY' | nix run nixpkgs#sops -- set --value-stdin "$secrets_file" '["fpl"]["password"]'
import json, sys
print(json.dumps(sys.stdin.read()))
PY

Report results (redacted)
- Summarize only the keys updated and the target file path.
- Do not print or log secret values.

Output Format

Confirmation that the secrets file was updated.
List of updated keys (paths only, no values).
Any errors encountered (redact sensitive data).

Safety Rules

Never echo or log secret values.
Never print decrypted files.
Always use --value-stdin and JSON encoding.
Do not store secrets in files, commits, or shell history.
Stop immediately if sops cannot decrypt the file (missing age key).

Success Criteria

Requested keys are updated in nixpkgs/secrets/secrets.yaml.
No secret values are exposed in output or logs.
sops exits successfully for every update.

Related Skills

pratos/web-search-researcher

development

VerifiedTrustedCommunity

Conducts comprehensive web research to find accurate, relevant information. Use when you need modern information only discoverable on the web, documentation, best practices, or technical solutions. Uses curl+markdown.new, Exa/Parallel APIs, and camoufox browser — no surf/WebFetch/WebSearch.

11SKILL.mdUpdated May 20, 2026

pratos/web-search-researcher

pratos/uv-python-execution

development

VerifiedTrustedCommunity

Enforces using uv to run all Python scripts and ty for type checking. Includes inline script metadata (PEP 723) for one-time scripts with dependencies.

11SKILL.mdUpdated May 20, 2026

pratos/uv-python-execution

pratos/ts-dotenv-override

development

VerifiedTrustedCommunity

Ensures .env files in TypeScript projects override sops-nix shell secrets. Use when setting up env loading, debugging missing/wrong API keys, or configuring dotenv in TS projects.

11SKILL.mdUpdated May 20, 2026

pratos/ts-dotenv-override

pratos/traces

tools

VerifiedTrustedCommunity

Share agent session traces via the traces CLI. Use when the user asks to share/publish/upload a trace. Always use private visibility.

11SKILL.mdUpdated May 20, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/pratos/clanker-setup.git

# Copy into Claude Code skills folder (global)
cp -r clanker-setup/skills/sops-secret-editor ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

pratos/clanker-setup

11 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT