ryoppippi/nix-github-rate-limit
agents/skills/nix-github-rate-limit/SKILL.md
Prevents and handles GitHub API rate limits during Nix commands. Use when running nix flake, nix run, nix build, nix shell, or comma against GitHub-backed inputs.
$ install --global
skillsauthnpx skillsauth add ryoppippi/dotfiles nix-github-rate-limitInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 19, 2026, 6:37 AM289.1s1 file scanned
SKILL.md
- name:
- nix-github-rate-limit
- description:
- Prevents and handles GitHub API rate limits during Nix commands. Use when running nix flake, nix run, nix build, nix shell, or comma against GitHub-backed inputs.
Nix GitHub Rate Limit
Use this skill before running Nix commands that may fetch GitHub-backed flakes or packages, especially nix flake update, nix run github:..., nix run nixpkgs#..., nix build, nix shell, and comma.
Default Approach
Prefer ephemeral token injection from GitHub CLI. Do not write GitHub tokens to nix.conf, repository files, skill files, shell config, or command arguments.
Use command substitution inside NIX_CONFIG for a single command when gh is already authenticated. Shell history records the literal command substitution, not the expanded token:
env NIX_CONFIG="access-tokens = github.com=$(gh auth token)" nix flake update
If ghtkn is configured and a short-lived GitHub App user token is preferred:
env NIX_CONFIG="access-tokens = github.com=$(ghtkn get)" nix flake update
If GITHUB_TOKEN is already present in the environment, bridge it into Nix's documented access-tokens setting without exposing the token value in the command text:
env NIX_CONFIG="access-tokens = github.com=$GITHUB_TOKEN" nix flake update
Do not create GITHUB_TOKEN by pasting a raw token into the terminal or an agent tool call.
For this dotfiles repo:
env NIX_CONFIG="access-tokens = github.com=$(gh auth token)" nix run .#build
env NIX_CONFIG="access-tokens = github.com=$(gh auth token)" nix run .#switch
env NIX_CONFIG="access-tokens = github.com=$(gh auth token)" nix run .#update
For missing tool execution:
env NIX_CONFIG="access-tokens = github.com=$(gh auth token)" nix run nixpkgs#<package> -- <args>
env NIX_CONFIG="access-tokens = github.com=$(gh auth token)" nix shell nixpkgs#<package> --command <command>
Workflow
-
If the command is a Nix command that may touch GitHub, check whether
ghis available and authenticated:command -q gh; and gh auth status -
If
GITHUB_TOKENis already set, run the Nix command withNIX_CONFIG="access-tokens = github.com=$GITHUB_TOKEN". -
If
ghis authenticated, run the Nix command withNIX_CONFIG="access-tokens = github.com=$(gh auth token)". -
If
ghtknis configured and the user prefers short-lived GitHub App tokens, useNIX_CONFIG="access-tokens = github.com=$(ghtkn get)". -
If no safe token source is available, run the command normally unless the user explicitly wants to authenticate first.
-
If a GitHub API rate limit error appears, retry once with the safest available
NIX_CONFIGwrapper.
History Safety
- Follow the global command privacy rule: command text, shell history, process lists, terminal output, tool invocation logs, and coding-agent transcripts must not contain raw tokens.
- Prefer inline command substitution such as
$(gh auth token)or$(ghtkn get)inside the command the user runs. - It is also acceptable to reference an existing environment variable by name, such as
$GITHUB_TOKEN; do not assign the raw value in the command. - Do not paste a raw token into the terminal, even temporarily.
- Do not run commands like
env NIX_CONFIG="access-tokens = github.com=ghp_..." .... - Do not place raw tokens in agent tool calls, command logs, or explanatory messages.
- Do not store a token in fish universal variables, exported shell variables, direnv files, or shell history cleanup scripts.
- If a raw token was accidentally pasted, tell the user to rotate or revoke it. Deleting shell history is not enough.
Avoid
- Do not use
--access-tokens "github.com=$(gh auth token)"because command arguments can be exposed via process listings. - Do not store PATs in
~/.config/nix/nix.conf,/etc/nix/nix.conf, repository files, or dotfiles by default. - Do not suggest broad PAT scopes. Public GitHub fetches should not need additional repository permissions.
- Do not print tokens, echo tokens, or include them in logs, summaries, commits, PR descriptions, or issue comments.
Notes
- Unauthenticated GitHub REST API requests are rate limited much more aggressively than authenticated requests.
NIX_CONFIGkeeps the token out of the command arguments, but environment variables can still be visible to sufficiently privileged local processes. Prefer it only for short-lived commands.- If
GITHUB_TOKENis already provided by CI or a controlled environment, Nix may use it, but do not create or persist it just for local interactive use.
Related Skills
ryoppippi/missing-tools
tools
VerifiedTrustedCommunity
Resolves missing CLI tools. Use when a command is unavailable, a shell reports command not found, or a tool must be run without installing it globally.
238SKILL.mdUpdated May 18, 2026
ryoppippi/tdd
development
VerifiedTrustedCommunity
Guides t-wada Red-Green-Refactor TDD. Use when implementing features, fixing bugs, or refactoring logic with strict test-first development.
238SKILL.mdUpdated Apr 15, 2026
ryoppippi/skill-creator
documentation
VerifiedTrustedCommunity
Guides agent-skill creation and updates following Anthropic's SKILL.md best practices. Use when adding or editing skills under `agents/skills/`, writing SKILL.md frontmatter, references, or skill routing.
237SKILL.mdUpdated May 18, 2026
ryoppippi/react-server-components
tools
VerifiedTrustedCommunity
Reviews React Server/Client Component boundaries against Next.js and React docs. Use when auditing `'use client'` placement or splitting components for proper RSC behaviour.
237SKILL.mdUpdated Apr 15, 2026