Claude-code-plugins-plus-skills hex-security-basics

install

source · Clone the upstream repo

git clone https://github.com/jeremylongshore/claude-code-plugins-plus-skills

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/jeremylongshore/claude-code-plugins-plus-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/saas-packs/hex-pack/skills/hex-security-basics" ~/.claude/skills/jeremylongshore-claude-code-plugins-plus-skills-hex-security-basics && rm -rf "$T"

manifest: plugins/saas-packs/hex-pack/skills/hex-security-basics/SKILL.md

Hex Security Basics

Overview

Hex is a collaborative data analytics platform where notebooks query production databases, generate visualizations, and share results across teams. Security concerns center on API token management (read vs run scopes), protecting database connection credentials embedded in Hex projects, and ensuring query results containing sensitive business data are not leaked through logs or exports. A compromised run-scope token can trigger arbitrary queries against connected databases.

API Key Management

function createHexClient(scope: "read" | "run"): { token: string; baseUrl: string } {
  const envVar = scope === "run" ? "HEX_RUN_TOKEN" : "HEX_READ_TOKEN";
  const token = process.env[envVar];
  if (!token) {
    throw new Error(`Missing ${envVar} — store in secrets manager, never in code`);
  }
  // Run tokens can trigger queries — use read tokens for monitoring
  console.log(`Hex client initialized with ${scope} scope (token suffix: ${token.slice(-4)})`);
  return { token, baseUrl: "https://app.hex.tech/api/v1" };
}

Webhook Signature Verification

import crypto from "crypto";
import { Request, Response, NextFunction } from "express";

function verifyHexWebhook(req: Request, res: Response, next: NextFunction): void {
  const signature = req.headers["x-hex-signature"] as string;
  const secret = process.env.HEX_WEBHOOK_SECRET!;
  const expected = crypto.createHmac("sha256", secret).update(req.body).digest("hex");
  if (!signature || !crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))) {
    res.status(401).send("Invalid signature");
    return;
  }
  next();
}

Input Validation

import { z } from "zod";

const HexRunRequestSchema = z.object({
  project_id: z.string().uuid(),
  input_params: z.record(z.string(), z.unknown()).optional(),
  notify_on_completion: z.boolean().default(false),
  update_cache: z.boolean().default(false),
});

function validateHexRunRequest(data: unknown) {
  return HexRunRequestSchema.parse(data);
}

Data Protection

const HEX_SENSITIVE_FIELDS = ["db_connection_string", "query_results", "api_token", "input_params", "export_url"];

function redactHexLog(record: Record<string, unknown>): Record<string, unknown> {
  const redacted = { ...record };
  for (const field of HEX_SENSITIVE_FIELDS) {
    if (field in redacted) redacted[field] = "[REDACTED]";
  }
  return redacted;
}

Security Checklist

API tokens stored in secrets vault, never in code
Read-only tokens for monitoring, run tokens for orchestration only
Token expiration set to 90 days maximum
Separate tokens per environment (dev/staging/prod)
Pre-commit hook blocks
```
hex_token_*
```
patterns
Database connection credentials managed in Hex workspace settings
Query result exports reviewed for sensitive data before sharing
Notebook sharing permissions audited per team

Error Handling

Vulnerability	Risk	Mitigation
Leaked run-scope token	Arbitrary queries against production databases	Secrets vault + least-privilege scoping
Database credentials in notebooks	Connection strings exposed to all collaborators	Hex workspace-managed connections
Query results in logs	Sensitive business data leaked	Field-level redaction pipeline
Overly broad notebook sharing	Confidential analytics visible to wrong teams	Per-notebook permission scoping
No token expiration	Indefinite access from compromised token	90-day expiration policy

Resources

Next Steps

See

hex-prod-checklist