Awesome-omni-skill secrets
Enforce secure secrets management across all platforms. Never hardcode OAuth2 secrets, API keys, tokens, passwords, or credentials in source code. Store all secrets in .env files, load from environment variables, and ensure .env is gitignored. Use this skill when: (1) writing any code that uses API keys, OAuth2 client secrets, tokens, or credentials, (2) setting up authentication or third-party integrations, (3) creating new projects that need environment configuration, (4) reviewing code for security issues related to secrets, (5) configuring CI/CD pipelines or Docker deployments with secrets. Triggers: API key, OAuth, client secret, token, credentials, .env, environment variables, secret, password, authentication setup, third-party integration.
git clone https://github.com/diegosouzapw/awesome-omni-skill
T=$(mktemp -d) && git clone --depth=1 https://github.com/diegosouzapw/awesome-omni-skill "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/devops/secrets" ~/.claude/skills/diegosouzapw-awesome-omni-skill-secrets && rm -rf "$T"
skills/devops/secrets/SKILL.mdSecrets Management
Core Rules
- NEVER hardcode secrets, API keys, OAuth2 client IDs/secrets, tokens, passwords, or credentials in source code
- ALWAYS store secrets in
files (or platform-native equivalents like.env
,local.properties
).xcconfig - ALWAYS load secrets from environment variables at runtime
- ALWAYS add
to.env
before first commit.gitignore - ALWAYS provide a
documenting required variables (with empty values).env.example
Workflow
When Writing Code That Uses Secrets
- Detect the platform/framework from the project files
- Check if
and.env
are set up — if not, create them.gitignore - Load secrets from environment variables using the platform's standard pattern
- Never use string literals for secret values — always reference
,process.env.*
, etc.os.getenv() - Add the variable name to
with an empty value and a descriptive comment.env.example - Run the scan script to verify no secrets leaked:
python3 scripts/scan_secrets.py .
When Setting Up a New Project
- Create
with required variables.env - Create
mirroring.env.example
structure with empty values (use env-example-template as a starting point).env - Add secret-related entries to
(use gitignore-secrets as reference).gitignore - Install the
loading library for the platform.env - Add loading code at the application entry point
When Reviewing Code
Run
python3 scripts/scan_secrets.py <project-directory>- Hardcoded API keys, tokens, and passwords
- OAuth2 client secrets in source
- AWS keys, Google API keys, Stripe keys, GitHub tokens
- Embedded private keys
- Connection strings with credentials
- Missing
entries for.gitignore.env - Missing
.env.example
Quick Reference by Platform
For platform-specific
.env- JavaScript/TypeScript: Node.js, Next.js, Vite, React, Nuxt, Remix, Express, NestJS
- Python: Django, Flask, FastAPI
- Ruby: Rails
- Go: godotenv
- Java/Kotlin: Spring Boot
- PHP: Laravel
- Rust: dotenvy
- Swift/iOS: Xcode .xcconfig, Vapor
- Android/Kotlin: local.properties + BuildConfig
- Flutter/Dart: flutter_dotenv
- C#/.NET: DotNetEnv, User Secrets
- Docker: --env-file, docker-compose env_file
- CI/CD: GitHub Actions, GitLab CI, Vercel, Netlify, AWS, GCP, Azure
Anti-Patterns to Block
Never generate code like:
# BAD - hardcoded secrets api_key = "sk-1234567890abcdef" client_secret = "my-oauth-secret" DATABASE_URL = "postgres://user:password@host/db" const token = "ghp_xxxxxxxxxxxxxxxxxxxx";
Always generate code like:
# GOOD - loaded from environment api_key = os.getenv("API_KEY") const token = process.env.GITHUB_TOKEN;
Mobile Platform Notes
- iOS: Use
files (gitignored) referenced from Xcode build settings — not.xcconfig
at runtime.env - Android: Use
(gitignored by default) injected vialocal.properties
— notbuildConfigField
at runtime.env - Flutter:
bundlesflutter_dotenv
into the app binary. For truly sensitive secrets, use a backend proxy instead of embedding in the mobile app.env