Marketplace

henghonglee-claude-secrets

Secure secrets management for Claude Code - inject secrets into CLI commands with user approval

npx claudepluginhub henghonglee/claude-secrets

README

View full README on GitHub

1 Plugin

claude-secrets

0·

Secure secrets management for CLI commands. Inject secrets, capture credentials from output, and manage permissions.

4mo

v1.1.0

henghonglee

Stats

Plugins1

UpdatedFeb 17, 2026

Links

View on GitHub View Marketplace JSON

Claude Secrets

A secure secrets management plugin for Claude Code and MCP clients. Enables AI assistants to safely handle credentials with user approval, automatic redaction, and secret capture from command output.

Features

Secret Injection - Use {{SECRET_NAME}} placeholders in commands to inject secrets
Session-Based Permissions - User approves secret access per-session with time-based expiry
Output Redaction - Automatically redacts known secrets and common patterns from output
Secret Capture - Extract secrets from command output (e.g., AWS session tokens) and store for future use
LLM-Friendly Metadata - Descriptions help future LLMs discover and use the right secrets
macOS Menu Bar App - Native notifications and dialogs for secret requests
Encrypted Vault - Secrets stored with Fernet encryption

Installation

One-Line Install (Recommended)

curl -sSL https://raw.githubusercontent.com/henghonglee/claude-secrets/main/install.sh | bash

This automatically:

Installs the package via pipx
Creates the encrypted vault
Installs the Claude Code plugin
Starts the menu bar app
Enables auto-start on login

Manual Installation

pipx install git+https://github.com/henghonglee/claude-secrets.git
ccs init

From Source

git clone https://github.com/henghonglee/claude-secrets.git
cd claude-secrets
pip install -e .
ccs init

Quick Start

# Initialize vault + start menubar + enable auto-start on login
ccs init

# Add a secret with description (helps LLMs understand what it's for)
ccs add AWS_ACCESS_KEY

# Check status
ccs status

The init command automatically:

Creates the encrypted vault
Installs the Claude Code plugin (via marketplace)
Starts the menu bar app
Enables auto-start on login (macOS)

Plugin-Only Install (if claude-secrets is already installed)

claude plugin marketplace add henghonglee/claude-secrets
claude plugin install claude-secrets@henghonglee-claude-secrets

Claude Code Commands

When installed as a plugin:

Command	Description
`/claude-secrets:list`	List all available secrets
`/claude-secrets:add [NAME]`	Add a new secret
`/claude-secrets:run <command>`	Run a command with secret injection

MCP Configuration (Non-Plugin)

For Claude Desktop or other MCP clients, add to your configuration:

{
  "mcpServers": {
    "secrets": {
      "command": "ccs",
      "args": ["serve"]
    }
  }
}

MCP Tools

`run_command`

Execute a CLI command with secret injection and output redaction.

{
  "command": "aws s3 ls --profile {{AWS_PROFILE}}",
  "timeout": 60,
  "capture": [
    {
      "path": "$.Credentials.SecretAccessKey",
      "name": "AWS_SESSION_SECRET",
      "description": "Temporary AWS secret key from STS. Use with AWS_SESSION_KEY_ID and AWS_SESSION_TOKEN.",
      "expires_at": "2024-01-24T12:00:00Z"
    }
  ]
}

Parameters:

command - Command with {{SECRET_NAME}} placeholders
timeout - Timeout in seconds (default: 60)
capture - Extract secrets from JSON output:
- path - JSONPath expression (e.g., $.Credentials.SecretAccessKey)
- name - Name for the captured secret
- description - LLM-friendly description
- expires_at - ISO 8601 expiration timestamp
redact_patterns - Additional regex patterns to redact
skip_builtin_patterns - Skip built-in redaction patterns

`list_secrets`

List available secrets with their descriptions.

{
  "tag": "aws"
}

Returns:

{
  "secrets": [
    {
      "name": "AWS_ACCESS_KEY",
      "description": "AWS access key for production account",
      "expires_at": null
    }
  ]
}

`request_secret`

Request the user to add a missing secret via the menu bar app.

{
  "name": "GITHUB_TOKEN",
  "description": "Personal access token for GitHub API. Needs repo and workflow scopes."
}

The menu bar app will show a native macOS dialog prompting the user to enter the secret value.

`get_permissions`

Get current session permission status for secrets.

How It Works

Client LLM calls list_secrets to discover available secrets
LLM constructs command with {{SECRET_NAME}} placeholders
User approves secret access when prompted (cached for session)
Server injects secrets and executes command
Output is redacted before returning to LLM
Captured secrets are stored with LLM-provided descriptions for future use

Menu Bar App (macOS)

The menu bar app provides:

Server status indicator
List of stored secrets with expiry times
Native dialogs for secret requests
Notifications when secrets are captured or expiring

Start with:

claude-secrets-menubar

henghonglee-claude-secrets

README

1 Plugin

claude-secrets

henghonglee-claude-secrets

README

Claude Secrets

Features

Installation

One-Line Install (Recommended)

Manual Installation

From Source

Quick Start

Plugin-Only Install (if claude-secrets is already installed)

Claude Code Commands

MCP Configuration (Non-Plugin)

MCP Tools

run_command

list_secrets

request_secret

get_permissions

How It Works

Menu Bar App (macOS)

Security Model

1 Plugin

claude-secrets

Related Marketplaces

ecc

antigravity-awesome-skills

claude-code-workflows

Claude Secrets

Features

Installation

One-Line Install (Recommended)

Manual Installation

From Source

Quick Start

Plugin-Only Install (if claude-secrets is already installed)

Claude Code Commands

MCP Configuration (Non-Plugin)

MCP Tools

run_command

list_secrets

request_secret

get_permissions

How It Works

Menu Bar App (macOS)

Security Model

Related Marketplaces

ecc

antigravity-awesome-skills

claude-code-workflows

`run_command`

`list_secrets`

`request_secret`

`get_permissions`

`run_command`

`list_secrets`

`request_secret`

`get_permissions`