Claude-code-plugins-plus-skills clari-security-basics

install

source · Clone the upstream repo

git clone https://github.com/jeremylongshore/claude-code-plugins-plus-skills

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/jeremylongshore/claude-code-plugins-plus-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/saas-packs/clari-pack/skills/clari-security-basics" ~/.claude/skills/jeremylongshore-claude-code-plugins-plus-skills-clari-security-basics && rm -rf "$T"

manifest: plugins/saas-packs/clari-pack/skills/clari-security-basics/SKILL.md

Clari Security Basics

Overview

Secure your Clari integration: API token management, exported data PII handling, and access control best practices.

Instructions

Step 1: Token Management

# Store token in secrets manager
aws secretsmanager create-secret \
  --name "clari/prod/api-token" \
  --secret-string "${CLARI_API_KEY}"

# In CI/CD, load from secrets
export CLARI_API_KEY=$(aws secretsmanager get-secret-value \
  --secret-id "clari/prod/api-token" --query SecretString --output text)

Rotation: Clari API tokens are generated per-user. To rotate, generate a new token in User Settings, update all consumers, then discard the old one.

Step 2: Exported Data PII Handling

Clari export data contains PII (rep names, emails, deal amounts):

def redact_pii(entries: list[dict]) -> list[dict]:
    """Redact PII from forecast entries for non-production use."""
    import hashlib

    redacted = []
    for entry in entries:
        r = entry.copy()
        if "ownerEmail" in r:
            r["ownerEmail"] = hashlib.sha256(
                r["ownerEmail"].encode()
            ).hexdigest()[:12] + "@redacted"
        if "ownerName" in r:
            r["ownerName"] = f"Rep-{hashlib.sha256(r['ownerName'].encode()).hexdigest()[:6]}"
        redacted.append(r)
    return redacted

Step 3: Security Checklist

API token in secrets manager, not in code
```
.env
```
files in
```
.gitignore
```
Exported data stored in access-controlled warehouse
PII redacted in non-production environments
Export download URLs are temporary -- do not cache
Audit who has API token access
Token regenerated if any team member leaves

Resources

Next Steps

For production deployment, see

clari-prod-checklist