Safety Report

API credentials hygiene

Name: API credentials hygiene
Rating: 5 (1 reviews)
Author: KOwl64

Audits and hardens API credential handling (env vars, separation, rotation plan, least privilege, auditability). Use when integrating services or preparing production deployments where secrets must be managed safely.

2,009Downloads

3Installs

1Stars

1Versions

API Integration4,971 Security & Compliance1,716 E-Commerce1,690 DevOps & Infrastructure1,045

Security Analysis

high confidence

Clean0.04 risk

The skill's stated purpose (auditing/hardening API credential handling) matches its instructions and requirements; it's an instruction-only skill that asks for documentation and templates but does not request credentials or install code.

Feb 11, 20262 files1 concern

Purpose & Capabilityok

Name, description, inputs, and outputs are consistent: the SKILL.md asks for lists of integrations/config snippets and produces credential maps, rotation runbooks, and templates — all coherent with an 'API credentials hygiene' auditor.

Instruction Scopeok

Instructions stay within the claimed scope: inventory credentials, propose env var mappings, rotation plans, and audit logs. It accepts optional config snippets and explicitly warns not to output real secrets and to be read-only by default. There are no instructions to read arbitrary system paths or send data to external endpoints.

Install Mechanismok

No install spec and no codefiles — instruction-only. This minimizes disk and execution risk (lowest-risk category).

Credentialsnote

Skill does not request any environment variables or credentials in its metadata. However, many of its recommended actions (moving secrets to a secret manager, updating deployment configs) could require credentials or elevated access if the user asks the agent to perform changes. The skill itself does not ask for those secrets — exercise caution if you provide secret-manager/API credentials to the agent later.

Persistence & Privilegeok

always is false and the skill is user-invocable. It does not request persistent presence or to modify other skills or system-wide settings.

Guidance

This skill appears coherent and low-risk as distributed: it only provides auditing guidance and templates and does not request credentials or install software. Before using it, do not paste real secrets — provide redacted or placeholder config snippets. If you ask the agent to apply changes (e.g., update deployment files or call your secret manager), do not hand over secret-manager/API keys unless you trust the agent runtime and have scoped credentials (least privilege, short-lived tokens). Prefer manual review/approval of any runbook or file modifications, and ensure outputs contain placeholders (as the skill requires) rather than real tokens. If you need legal/compliance sign-off, obtain that outside this tool — the skill explicitly says it is technical guidance only.

Latest Release

v1.0.0

Initial release of the api-credentials-hygiene skill: - Audits and hardens API credential management covering environment variables, separation, rotation planning, and least-privilege principles. - Provides credential mapping, rotation runbooks, least-privilege checklists, and optional `.env` templates with placeholders. - Designed for integration and deployment scenarios to improve secret handling and auditability. - Outputs technical documentation only; does not handle actual secrets or offer legal/compliance advice. - Promotes secure workflows by preventing embedded secrets, minimizing permissions, and documenting access and rotation procedures.

More by @KOwl64

n8n workflow automation

76 stars

Excel weekly dashboards at scale

2 stars

Tachograph Triage & Root-Cause Prompts (UK)

0 stars

CPC/MPQC Training & Competence Tracking (UK)

0 stars

Drivers’ Hours & WTD Infringement Coach (UK)

0 stars

DVSA & Traffic Commissioner Audit Readiness (UK)

0 stars

Published by @KOwl64 on ClawHub