MetaClaw secrets-management

Use this skill when handling API keys, passwords, tokens, private keys, or any sensitive credential. Never hardcode secrets in source code — apply this whenever the word "key", "token", "password", or "secret" appears in the task.

install

source · Clone the upstream repo

git clone https://github.com/aiming-lab/MetaClaw

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/aiming-lab/MetaClaw "$T" && mkdir -p ~/.claude/skills && cp -r "$T/memory_data/skills/secrets-management" ~/.claude/skills/aiming-lab-metaclaw-secrets-management && rm -rf "$T"

manifest: memory_data/skills/secrets-management/SKILL.md

source content

Secrets Management

Rules:

Never hardcode secrets in source files, configs committed to git, or logs.
Use environment variables for local development (
```
python-dotenv
```
).
Use a secrets manager (AWS Secrets Manager, HashiCorp Vault, 1Password CLI) in production.
Add
```
.env
```
and
```
*.pem
```
to
```
.gitignore
```
before the first commit.
Rotate secrets immediately if they are exposed (leaked in a commit, log, or error message).

Scanning: Use

ggshield

truffleHog

, or

git-secrets

in CI to block secret commits.

Anti-patterns:

os.environ.get('KEY', 'hardcoded_default')

in production code.

Logging full request/response bodies that may contain tokens.