Stats
Actions
Tags
From claude-secrets
REQUIRED: Use run_command instead of Bash for ANY command that creates, outputs, or uses secrets/credentials/tokens/API keys/passwords. Prevents secrets from being exposed in chat history.
How this skill is triggered — by the user, by Claude, or both
Slash command
/claude-secrets:secretsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
**CRITICAL**: You MUST use `run_command` instead of Bash for ANY command involving secrets.
CRITICAL: You MUST use run_command instead of Bash for ANY command involving secrets.
Use run_command if the command:
| Category | Commands |
|---|---|
| AWS | create-access-key, get-session-token, assume-role, get-secret-value |
| GitHub | gh auth token, gh auth login, creating PATs |
| Docker | docker login, registry credentials |
| Databases | Connection strings, psql, mysql with credentials |
| APIs | Any curl/http request with API keys or tokens |
| SSH/TLS | Key generation, certificate creation |
| CI/CD | Pipeline tokens, deploy keys |
| Any service | Account creation, password resets, token generation |
Using Bash exposes secrets in:
Using run_command:
{{SECRET_NAME}} placeholders for future useYou have access to these tools from the secrets MCP server:
list_secretsDiscover available secrets before running commands. Always check this first.
{"tag": "aws"} // Optional: filter by tag
Returns secret names with descriptions - use descriptions to understand what each secret is for.
run_commandExecute CLI commands with secret injection and output protection.
Secret Injection: Use {{SECRET_NAME}} placeholders:
{
"command": "aws s3 ls --profile {{AWS_PROFILE}}"
}
Secret Capture: Extract credentials from command output:
{
"command": "aws sts get-session-token",
"capture": [
{
"path": "$.Credentials.AccessKeyId",
"name": "AWS_SESSION_KEY_ID",
"description": "Temporary AWS access key from STS. Use with AWS_SESSION_SECRET and AWS_SESSION_TOKEN for temporary access.",
"expires_at": "2024-01-24T18:00:00Z"
},
{
"path": "$.Credentials.SecretAccessKey",
"name": "AWS_SESSION_SECRET",
"description": "Temporary AWS secret key from STS. Must be used together with AWS_SESSION_KEY_ID and AWS_SESSION_TOKEN.",
"expires_at": "2024-01-24T18:00:00Z"
}
]
}
request_secretAsk the user to provide a missing secret. Use when list_secrets doesn't have what you need.
{
"name": "GITHUB_TOKEN",
"description": "Personal access token for GitHub API. Needs 'repo' and 'workflow' scopes for this task."
}
The user will see a native dialog prompting them to enter the value.
get_permissionsCheck which secrets you have permission to use in this session.
ALWAYS call list_secrets FIRST before any other action involving secrets.
list_secrets to see what secrets already exist{{SECRET_NAME}} placeholder in run_command (use the EXACT name from list_secrets)request_secret, then call list_secrets again to get the exact namecapture to store them for future useNEVER call request_secret without first calling list_secrets - the secret may already exist with a slightly different name.
When using request_secret or capture, write descriptions that help future AI assistants:
Good example:
"AWS session secret key from STS get-session-token. Temporary credential valid for 12 hours. Must be used together with AWS_SESSION_KEY_ID and AWS_SESSION_TOKEN. Generated from the hh-root profile."
Bad example:
"AWS key"
IMPORTANT: Use portable shell commands to avoid cross-platform issues.
| Don't Use | Use Instead | Why |
|---|---|---|
echo -e "line1\nline2" | printf 'line1\nline2\n' | echo -e is not portable (writes "-e" literally on macOS/zsh) |
echo -n "no newline" | printf 'no newline' | echo -n also has portability issues |
For multi-line content, use heredocs:
cat >> ~/.aws/credentials << 'EOF'
[profile-name]
aws_access_key_id = {{KEY_ID}}
aws_secret_access_key = {{SECRET}}
EOF
~/.claude-secrets/audit.lognpx claudepluginhub henghonglee/claude-secrets --plugin claude-secretsGuides secure secrets management using Vault, AWS Secrets Manager, Azure Key Vault, environment variables, rotation, scanning tools, and CI/CD security. For implementing storage, rotation, leak prevention, credentials review.
Implements secure secrets management in CI/CD pipelines using Vault, AWS Secrets Manager, and other tools. Guides on storing, rotating, and auditing secrets without hardcoding.
Scans projects for exposed secrets, recommends management providers, sets up secret storage and injection into CI/CD/deployments, audits configurations for infrastructure.