OpenSkillIndex← back to search
claude-code

Skillshub env-secrets-manager

Env & Secrets Manager

install
source · Clone the upstream repo
git clone https://github.com/ComeOnOliver/skillshub
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/ComeOnOliver/skillshub "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/alirezarezvani/claude-skills/env-secrets-manager" ~/.claude/skills/comeonoliver-skillshub-env-secrets-manager && rm -rf "$T"
manifest: skills/alirezarezvani/claude-skills/env-secrets-manager/SKILL.md
source content

Env & Secrets Manager

Tier: POWERFUL Category: Engineering Domain: Security / DevOps / Configuration Management

Overview

Manage environment-variable hygiene and secrets safety across local development and production workflows. This skill focuses on practical auditing, drift awareness, and rotation readiness.

Core Capabilities

  • .env
    and 
    .env.example
    lifecycle guidance
  • Secret leak detection for repository working trees
  • Severity-based findings for likely credentials
  • Operational pointers for rotation and containment
  • Integration-ready outputs for CI checks

When to Use

  • Before pushing commits that touched env/config files
  • During security audits and incident triage
  • When onboarding contributors who need safe env conventions
  • When validating that no obvious secrets are hardcoded

Quick Start

# Scan a repository for likely secret leaks
python3 scripts/env_auditor.py /path/to/repo

# JSON output for CI pipelines
python3 scripts/env_auditor.py /path/to/repo --json

Recommended Workflow

  1. Run 
    scripts/env_auditor.py
    on the repository root.
  2. Prioritize 
    critical
    and 
    high
    findings first.
  3. Rotate real credentials and remove exposed values.
  4. Update 
    .env.example
    and 
    .gitignore
    as needed.
  5. Add or tighten pre-commit/CI secret scanning gates.

Reference Docs

  • references/validation-detection-rotation.md
  • references/secret-patterns.md

Common Pitfalls

  • Committing real values in 
    .env.example
  • Rotating one system but missing downstream consumers
  • Logging secrets during debugging or incident response
  • Treating suspected leaks as low urgency without validation

Best Practices

  1. Use a secret manager as the production source of truth.
  2. Keep dev env files local and gitignored.
  3. Enforce detection in CI before merge.
  4. Re-test application paths immediately after credential rotation.