{"skill":{"slug":"api-credentials-hygiene","displayName":"API credentials hygiene","summary":"Audits and hardens API credential handling (env vars, separation, rotation plan, least privilege, auditability). Use when integrating services or preparing production deployments where secrets must be managed safely.","description":"---\nname: api-credentials-hygiene\ndescription: Audits and hardens API credential handling (env vars, separation, rotation plan, least privilege, auditability). Use when integrating services or preparing production deployments where secrets must be managed safely.\n---\n\n# API credentials hygiene: env vars, rotation, least privilege, auditability\n\n## PURPOSE\nAudits and hardens API credential handling (env vars, separation, rotation plan, least privilege, auditability).\n\n## WHEN TO USE\n- TRIGGERS:\n  - Harden the credentials setup for this integration and move secrets into env vars.\n  - Design a key rotation plan for these APIs with minimal downtime.\n  - Audit this service for least-privilege access and document what each key can do.\n  - Create an environment variable map and a secure .env template for this project.\n  - Set up credential separation for dev versus prod with clear audit trails.\n- DO NOT USE WHEN…\n  - You want to obtain keys without authorization or bypass security controls.\n  - You need legal/compliance sign-off (this outputs technical documentation, not legal advice).\n\n## INPUTS\n- REQUIRED:\n  - List of integrations/APIs and where credentials are currently stored/used.\n  - Deployment context (local dev, server, container, n8n, etc.).\n- OPTIONAL:\n  - Current config files/redacted snippets (.env, compose, systemd, n8n creds list).\n  - Org rules (rotation intervals, secret manager preference).\n- EXAMPLES:\n  - “Keys are hard-coded in a Node script and an n8n HTTP Request node.”\n  - “We have dev and prod n8n instances and need separation.”\n\n## OUTPUTS\n- Credential map (service → env vars → scopes/permissions → owner → rotation cadence).\n- Rotation runbook (steps + rollback).\n- Least-privilege checklist and audit log plan.\n- Optional: `.env` template (placeholders only).\nSuccess = no secrets committed or embedded, permissions minimized, rotation steps documented, and auditability defined.\n\n\n## WORKFLOW\n1. Inventory credentials:\n   - where stored, where used, and who owns them.\n2. Define separation:\n   - dev vs prod; human vs service accounts; per-integration boundaries.\n3. Move secrets to env vars / secret manager references:\n   - create an env var map and update config plan (no raw keys in code/workflows).\n4. Least privilege:\n   - for each API, enumerate required actions and reduce scopes/roles accordingly.\n5. Rotation plan:\n   - dual-key overlap if supported; steps to rotate with minimal downtime; rollback.\n6. Auditability:\n   - define what events are logged (auth failures, token refresh, key use where available).\n7. STOP AND ASK THE USER if:\n   - required operations are unknown,\n   - secret injection method is unclear,\n   - rotation cadence/owners are unspecified.\n\n\n## OUTPUT FORMAT\nCredential map template:\n\n```text\nCREDENTIAL MAP\n- Integration: <name>\n  - Env vars:\n    - <VAR_NAME>: <purpose> (secret/non-secret)\n  - Permissions/scopes: <list>\n  - Used by: <service/workflow>\n  - Storage: <secret manager/env var>\n  - Rotation: <cadence> | <owner> | <procedure>\n  - Audit: <what is logged and where>\n```\n\nIf providing a template, output `assets/dotenv-template.example` with placeholders only.\n\n\n## SAFETY & EDGE CASES\n- Never output real secrets, tokens, or private keys. Use placeholders.\n- Read-only by default; propose changes as a plan unless explicitly asked to modify files.\n- Avoid over-broad scopes/roles unless justified by a documented requirement.\n\n\n## EXAMPLES\n- Input: “n8n HTTP nodes contain API keys.”  \n  Output: Env var map + plan to move to n8n credentials/env vars + rotation runbook.\n\n- Input: “Need dev vs prod separation.”  \n  Output: Two env maps + naming scheme + access boundary checklist.\n\n","tags":{"latest":"1.0.0"},"stats":{"comments":0,"downloads":3079,"installsAllTime":116,"installsCurrent":7,"stars":2,"versions":1},"createdAt":1768663701906,"updatedAt":1778485733200},"latestVersion":{"version":"1.0.0","createdAt":1768663701906,"changelog":"Initial release of the api-credentials-hygiene skill:\n\n- Audits and hardens API credential management covering environment variables, separation, rotation planning, and least-privilege principles.\n- Provides credential mapping, rotation runbooks, least-privilege checklists, and optional `.env` templates with placeholders.\n- Designed for integration and deployment scenarios to improve secret handling and auditability.\n- Outputs technical documentation only; does not handle actual secrets or offer legal/compliance advice.\n- Promotes secure workflows by preventing embedded secrets, minimizing permissions, and documenting access and rotation procedures.","license":null},"metadata":null,"owner":{"handle":"kowl64","userId":"s173svt85h7w25jh0sc5g59ds1885fgy","displayName":"KOwl64","image":"https://avatars.githubusercontent.com/u/59417033?v=4"},"moderation":null}