OpenSkillIndex← back to search
claude-codesecurity

Claude-code-plugins-plus-skills hootsuite-security-basics

install
source · Clone the upstream repo
git clone https://github.com/jeremylongshore/claude-code-plugins-plus-skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/jeremylongshore/claude-code-plugins-plus-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/saas-packs/hootsuite-pack/skills/hootsuite-security-basics" ~/.claude/skills/jeremylongshore-claude-code-plugins-plus-skills-hootsuite-security-basics && rm -rf "$T"
manifest: plugins/saas-packs/hootsuite-pack/skills/hootsuite-security-basics/SKILL.md
tags
#security#hootsuite#oauth#api-security#credential-management
source content

Hootsuite Security Basics

Credential Inventory

CredentialScopeRotation
Client IDApp-levelNever (app identifier)
Client SecretApp-levelRotate if compromised
Access TokenUser sessionAuto-expires (~1 hour)
Refresh TokenUser sessionRotate on each refresh

Instructions

Step 1: Secure Token Storage

# .env (never commit)
HOOTSUITE_CLIENT_ID=app_client_id
HOOTSUITE_CLIENT_SECRET=app_secret
HOOTSUITE_ACCESS_TOKEN=current_token
HOOTSUITE_REFRESH_TOKEN=refresh_token

Step 2: Token Refresh Security

// Always use HTTPS for token exchange
// Store refresh tokens encrypted at rest
// Rotate refresh tokens on each use (Hootsuite returns new ones)
async function secureRefresh(refreshToken: string) {
  const res = await fetch('https://platform.hootsuite.com/oauth2/token', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/x-www-form-urlencoded',
      'Authorization': `Basic ${Buffer.from(`${process.env.HOOTSUITE_CLIENT_ID}:${process.env.HOOTSUITE_CLIENT_SECRET}`).toString('base64')}`,
    },
    body: new URLSearchParams({ grant_type: 'refresh_token', refresh_token: refreshToken }),
  });
  const tokens = await res.json();
  // Store new refresh_token, discard old one
  return tokens;
}

Step 3: Security Checklist

  • Client secret in secrets vault, never in code
  • Access tokens never logged or exposed
  • Refresh tokens stored encrypted
  • HTTPS for all OAuth requests
  • Pre-commit hook blocks 
    HOOTSUITE_
    credential leaks
  • Separate OAuth apps for dev/staging/prod

Resources

Next Steps

For production, see 

hootsuite-prod-checklist
.