Secret's Safe
PassAudited by ClawScan on May 10, 2026.
Overview
This is an instruction-only security guidance skill for handling secrets; its sensitive examples are disclosed and purpose-aligned, with no evidence of hidden code, exfiltration, or destructive behavior.
This skill appears safe as credential-handling guidance. Before installing, understand that it teaches agents how to work around secrets safely; continue to keep real keys out of chat, verify any shell/API examples before reuse, and configure credentials only for the specific services you intend to use.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may provide guidance for using API keys or local secrets, so users should ensure only intended credentials are configured for the target skill or service.
The skill is designed for credential-related tasks, so enabling it may affect how an agent uses configured secrets. This is disclosed and aligned with the stated purpose.
Use this skill whenever a task requires authenticating with an external service, reading or writing API keys, tokens, passwords, or credentials of any kind.
Use the skill for credential-safety guidance, but keep secrets in environment injection or a secrets manager and do not paste secrets into chat.
If adapted carelessly, these examples could send credentials to the wrong service or expose them through local command handling.
The skill includes shell and API-call examples for passing credentials to external services. These are purpose-aligned examples, but shell/API patterns should remain scoped to known endpoints.
MY_SERVICE_API_KEY="$MY_SERVICE_API_KEY" curl -s \ -H "Authorization: Bearer $MY_SERVICE_API_KEY" \ https://api.myservice.com/v1/data
Review endpoints and commands before using them, and prefer provider-specific SDKs or scoped CLIs when available.