OpenSkillIndex← back to search
claude-codeopenclawdevops

Skills devtools-secrets

install
source · Clone the upstream repo
git clone https://github.com/openclaw/skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/openclaw/skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/basher83/devtools-secrets" ~/.claude/skills/openclaw-skills-devtools-secrets && rm -rf "$T"
OpenClaw · Install into ~/.openclaw/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/openclaw/skills "$T" && mkdir -p ~/.openclaw/skills && cp -r "$T/skills/basher83/devtools-secrets" ~/.openclaw/skills/openclaw-skills-devtools-secrets && rm -rf "$T"
manifest: skills/basher83/devtools-secrets/SKILL.md
tags
#secrets-management#devops#environment-variables#tooling#cli#automation
source content

DevTools Secrets

Knowledge and guardrails for the mise + fnox + infisical secrets toolchain.

Toolchain Validation

IMPORTANT: Check tool availability before proceeding with any guidance.

  • mise: !
    command -v mise >/dev/null 2>&1 && echo "INSTALLED ($(mise --version 2>/dev/null | head -1))" || echo "MISSING — install with: curl https://mise.run | sh"
  • fnox: !
    command -v fnox >/dev/null 2>&1 && echo "INSTALLED ($(fnox --version 2>/dev/null | head -1))" || echo "MISSING — install with: mise use -g fnox"
  • infisical: !
    command -v infisical >/dev/null 2>&1 && echo "INSTALLED ($(infisical --version 2>/dev/null | head -1))" || echo "MISSING — install with: mise use -g infisical"

If any tool above shows MISSING, stop and help the user install it before proceeding. Do not provide configuration guidance for tools that aren't installed.

Project Config State

  • fnox.toml: !
    test -f fnox.toml && echo "YES" || echo "NO (run: fnox init)"
  • .infisical.json: !
    test -f .infisical.json && cat .infisical.json || echo "NO (run: infisical init)"
  • mise.toml env section: !
    grep -A5 '^\[env\]' mise.toml 2>/dev/null || echo "No env section"

System/Global Config

  • mise global config: !
    test -f ~/.config/mise/config.toml && head -10 ~/.config/mise/config.toml || echo "No global mise config"
  • fnox global config: !
    test -f ~/.config/fnox/config.toml && head -10 ~/.config/fnox/config.toml || echo "No global fnox config"
  • infisical logged in: !
    infisical user get 2>/dev/null | head -3 || echo "Not logged in or not installed"

Tool Roles

ToolRole
miseTask runner + env manager. Orchestrates dev tooling, runs tasks, manages env vars through plugins.
fnoxUnified secret interface. Abstracts over multiple secret backends (infisical, age, env files) with a single CLI.
infisicalRemote secrets backend. Stores, syncs, and injects secrets from a central server.

These tools complement each other: infisical stores secrets remotely, fnox provides a unified local interface to them, and mise orchestrates tasks that consume secrets via fnox.

Integration Chain

The typical flow:

  1. fnox.toml defines infisical as a provider with project/environment config
  2. fnox exec --
     resolves secrets from the provider and injects them as env vars
  3. mise tasks can wrap 
    fnox exec
    to run commands with secrets injected
  4. Alternatively, mise env plugins can call fnox directly for auto-injection on 
    cd

Secrets Enforcement

This project enforces secrets hygiene via always-on hooks in 

.claude/settings.json
(not scoped to this skill):

  • block-hardcoded-secrets.py
     — Blocks Edit/Write operations containing hardcoded API keys, tokens, passwords, or known secret prefixes (sk-, ghp_, AKIA, xox[bpras]-)
  • block-bare-secret-exports.py
     — Blocks Bash commands that 
    export
    secret-like env vars without wrapping in 
    fnox exec
    or 
    infisical run

These hooks are always active regardless of whether this skill is loaded.

Configuration Patterns

Detailed configuration for each tool is in the reference files:

  • @references/mise-integration.md — mise env plugins, tasks, fnox integration
  • @references/fnox-configuration.md — fnox.toml structure, providers, profiles
  • @references/infisical-patterns.md — infisical CLI, scanning, CI/CD

Gotchas

  • Order matters: fnox.toml must exist before 
    fnox exec
    works. Run 
    fnox init
    if missing.
  • Profile mismatches: fnox profiles (dev/staging/prod) must match infisical environment slugs. A mismatch silently returns empty secrets.
  • .infisical.json
    is safe to commit     — it contains project IDs and workspace config, not secrets.
  • fnox.toml
    may contain sensitive paths     — review before committing if using age-encrypted file provider.
  • mise env plugins run on 
    cd
     — if a plugin calls fnox and fnox is misconfigured, you get errors on every directory change.
  • infisical auth expires
    infisical login
    tokens have a TTL. CI/CD should use 
    INFISICAL_TOKEN
    (service token) instead.
  • Token path scope is explicit — a service token scoped to 
    /
    cannot access secrets in child paths like 
    /git_actions
    . Each path requires its own token or use 
    --recursive
    with the CLI directly.