Securely store, manage, rotate, and integrate secrets (API keys, passwords, certificates) in CI/CD pipelines using Vault, AWS Secrets Manager, and native tools.
Security Analysis
high confidenceThe SKILL.md content matches a secrets-management purpose, but the package metadata omits the many credentials, environment variables, and tooling the instructions rely on and includes some risky examples (e.g., running Vault dev with a root token), so the bundle is internally inconsistent and requires caution.
The skill's name and description (Vault, AWS Secrets Manager, CI/CD integration) align with the instructions and snippets in SKILL.md. However, the declared metadata lists no required environment variables or binaries even though the instructions repeatedly reference Vault, AWS CLI, GitHub/GitLab CI secrets, kubectl/ExternalSecrets, Terraform, docker, jq, and other tools. The tool choices are appropriate for the stated purpose, but the metadata omission is a mismatch.
The runtime instructions explicitly reference and expect secret-bearing environment variables and credentials (e.g., VAULT_TOKEN, VAULT_ADDR, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, $GITHUB_ENV, GitHub/GitLab secrets). The SKILL.md also shows commands that read/write secrets (vault kv put/get, aws secretsmanager get-secret-value, echoing secrets into $GITHUB_ENV, using add-mask), and runs containers (trufflehog) and CLIs (vault, aws, docker, jq). The metadata does not declare these dependencies, and the instructions include risky examples such as starting Vault in dev mode with a root token, which is insecure if copied to production.
This is an instruction-only skill with no install spec, so nothing is written to disk by the skill itself. That lowers installation risk, but the guidance presumes availability of many external binaries/containers (vault, aws-cli, kubectl, terraform, docker, trufflesecurity/trufflehog image) without declaring them. Consumers must provision those tools separately; the omission is a documentation/metadata gap.
Although the skill is about secrets, the declared registry metadata lists no required environment variables or primary credential. SKILL.md requires/uses multiple sensitive variables (VAULT_TOKEN, VAULT_ADDR, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, $VAULT_TOKEN in CI, etc.). The skill should have declared these expected env vars in metadata and explained least-privilege requirements. As-is, there's a mismatch between the sensitivity of what's used and what the package declares.
The skill does not request always:true and does not include install hooks or code that would persist in the agent. It is user-invocable and permits model invocation (the platform default), which is appropriate for this kind of guidance-only skill.
Guidance
This skill's instructions are broadly consistent with a secrets-management guide, but the registry metadata is incomplete. Before installing or following the examples: (1) treat the SKILL.md examples as templates only — do not copy dev-mode Vault with a root token into production; (2) expect to need tools and credentials not listed in metadata (vault, aws-cli, docker, jq, kubectl, terraform, and CI provider secrets like VAULT_TOKEN, AWS_ACCESS_KEY_ID/SECRET); (3) ensure any credentials you supply use least-privilege IAM roles or short-lived tokens and never paste real secrets into examples; (4) verify the skill's publisher/source (homepage is missing) and prefer packages that explicitly declare required env vars and binaries; (5) if you need to trust this skill for automation, ask the author to update metadata to list required env vars/binaries and to replace insecure examples (vault -dev with root token) with safe, production-oriented instructions.
Latest Release
v1.0.0
Initial release: Vault, AWS Secrets Manager, K8s External Secrets, rotation patterns
More by @brandonwise
Published by @brandonwise on ClawHub
