Keychains.dev

The skill's declared purpose (a CLI/SDK that proxies and injects credentials server-side) aligns with its install and runtime instructions, but it requires trusting an external npm package and a third‑party service to hold and use your secrets.

This skill is internally consistent with its stated purpose, but you need to trust two things before installing: (1) the npm package you'll install (keychains@latest) — installing unpinned packages can introduce supply-chain risk; (2) the keychains.dev service that will store and inject your provider credentials. Before installing, review the npm package/maintainer, view the linked GitHub repo and security whitepaper, consider pinning to a specific package version, and avoid using Keychains for keys you absolutely cannot entrust to a third party. Also don't include other local secrets in proxied request bodies/headers, and prefer approving only the minimal scopes required in the dashboard. Finally, note that this skill package contained no code to scan locally, so the runtime code executed comes from the external npm registry and was not part of this review.