Stats
Actions
Tags
From vanguard-frontier-agentic
Reviews External Secrets Operator (ESO) configurations for security anti-patterns: overbroad ClusterSecretStore, static credentials, refresh interval issues, and push privilege escalation. Helps secure secret management in Kubernetes.
How this skill is triggered — by the user, by Claude, or both
Slash command
/vanguard-frontier-agentic:external-secrets-operator-reviewThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
This skill reviews External Secrets Operator configuration for access scope creep, authentication anti-patterns, secret refresh interval compliance, dataFrom blast radius, template misconfiguration, and PushSecret privilege escalation. ESO is a trust bridge between your cluster and your external secret store — a misconfigured ClusterSecretStore or a broad `dataFrom.find` regex can expose every ...
This skill reviews External Secrets Operator configuration for access scope creep, authentication anti-patterns, secret refresh interval compliance, dataFrom blast radius, template misconfiguration, and PushSecret privilege escalation. ESO is a trust bridge between your cluster and your external secret store — a misconfigured ClusterSecretStore or a broad dataFrom.find regex can expose every credential in your vault to every namespace, silently, with no audit trail.
ClusterSecretStore that lacks a namespaceSelector or namespaces restriction as HIGH — it grants every namespace in the cluster the ability to reference external secrets through that store.dataFrom.find with a regex that matches more than a single defined secret path prefix (e.g., name.regexp: .* or path: /) as HIGH — it pulls all matching secrets from the external store into one K8s Secret, creating an enormous blast radius if the Secret is mounted or leaked.SecretStore.spec.provider.*.auth.secretRef (a K8s Secret holding external store credentials) as HIGH — this is a credential-to-access-credentials anti-pattern; prefer IRSA, Azure Workload Identity, GCP Workload Identity, or Vault Kubernetes auth.refreshInterval greater than 24 hours on any credential that has an external rotation policy shorter than the interval as MEDIUM — the cluster will use a stale, already-rotated secret until the next sync, breaking the workload.target.creationPolicy: Owner without a documented backup or recreation procedure as MEDIUM — accidental deletion of the ExternalSecret deletes the managed K8s Secret, crashing workloads that mount it.PushSecret resources with auth scoped to write-all on a store path as HIGH — PushSecret's write path requires elevated permissions; verify the auth scope is minimum-necessary.target.template misconfigurations that could silently omit required secret keys — a partial K8s Secret causes workload startup failures or silent use of zero-value credentials.refreshInterval entirely (refreshInterval: 0) — that disables automatic rotation pickup.Load these only when needed:
Return, at minimum:
npx claudepluginhub raishin/vanguard-frontier-agentic --plugin vanguard-frontier-agenticManages Kubernetes secrets with SealedSecrets for GitOps, External Secrets Operator for cloud secret stores, encryption at rest, RBAC, and rotation.
Audits how secrets, credentials, and certificates are stored, rotated, and accessed. Detects hardcoded secrets and guides migration to centralized secret managers like Vault or AWS Secrets Manager.
Reviews FluxCD Kustomization, HelmRelease, and GitRepository resources for production safety, SOPS encryption, prune safety, commit verification, and least-privilege ServiceAccounts.