secrets

Original：🇺🇸 English

Translated

1 scriptsChecked / no sensitive code detected

Enforce secure secrets management across all platforms. Never hardcode OAuth2 secrets, API keys, tokens, passwords, or credentials in source code. Store all secrets in .env files, load from environment variables, and ensure .env is gitignored. Use this skill when: (1) writing any code that uses API keys, OAuth2 client secrets, tokens, or credentials, (2) setting up authentication or third-party integrations, (3) creating new projects that need environment configuration, (4) reviewing code for security issues related to secrets, (5) configuring CI/CD pipelines or Docker deployments with secrets. Triggers: API key, OAuth, client secret, token, credentials, .env, environment variables, secret, password, authentication setup, third-party integration.

1installs

Sourcealfredang/skills

Added on2026-02-21

NPX Install

npx skill4agent add alfredang/skills secrets

SKILL.md Content

View Translation Comparison →

Secrets Management

Core Rules

NEVER hardcode secrets, API keys, OAuth2 client IDs/secrets, tokens, passwords, or credentials in source code
ALWAYS store secrets in
```
.env
```
files (or platform-native equivalents like
```
local.properties
```
,
```
.xcconfig
```
)
ALWAYS load secrets from environment variables at runtime
ALWAYS add
```
.env
```
to
```
.gitignore
```
before first commit
ALWAYS provide a
```
.env.example
```
documenting required variables (with empty values)

Workflow

When Writing Code That Uses Secrets

Detect the platform/framework from the project files
Check if
.env
and
.gitignore
are set up — if not, create them
Load secrets from environment variables using the platform's standard pattern
Never use string literals for secret values — always reference
```
process.env.*
```
,
```
os.getenv()
```
, etc.
Add the variable name to
```
.env.example
```
with an empty value and a descriptive comment
Run the scan script to verify no secrets leaked:
```
python3 scripts/scan_secrets.py .
```

When Setting Up a New Project

Create
```
.env
```
with required variables
Create
```
.env.example
```
mirroring
```
.env
```
structure with empty values (use env-example-template as a starting point)
Add secret-related entries to
```
.gitignore
```
(use gitignore-secrets as reference)
Install the
```
.env
```
loading library for the platform
Add loading code at the application entry point

When Reviewing Code

Run

python3 scripts/scan_secrets.py <project-directory>

to detect:

Hardcoded API keys, tokens, and passwords
OAuth2 client secrets in source
AWS keys, Google API keys, Stripe keys, GitHub tokens
Embedded private keys
Connection strings with credentials
Missing
```
.gitignore
```
entries for
```
.env
```
Missing
```
.env.example
```

Quick Reference by Platform

For platform-specific

.env

loading patterns (install, load, access, framework variants), see references/platforms.md. Covers:

JavaScript/TypeScript: Node.js, Next.js, Vite, React, Nuxt, Remix, Express, NestJS
Python: Django, Flask, FastAPI
Ruby: Rails
Go: godotenv
Java/Kotlin: Spring Boot
PHP: Laravel
Rust: dotenvy
Swift/iOS: Xcode .xcconfig, Vapor
Android/Kotlin: local.properties + BuildConfig
Flutter/Dart: flutter_dotenv
C#/.NET: DotNetEnv, User Secrets
Docker: --env-file, docker-compose env_file
CI/CD: GitHub Actions, GitLab CI, Vercel, Netlify, AWS, GCP, Azure

Anti-Patterns to Block

Never generate code like:

# BAD - hardcoded secrets
api_key = "sk-1234567890abcdef"
client_secret = "my-oauth-secret"
DATABASE_URL = "postgres://user:password@host/db"
const token = "ghp_xxxxxxxxxxxxxxxxxxxx";

Always generate code like:

# GOOD - loaded from environment
api_key = os.getenv("API_KEY")
const token = process.env.GITHUB_TOKEN;

Mobile Platform Notes

iOS: Use
```
.xcconfig
```
files (gitignored) referenced from Xcode build settings — not
```
.env
```
at runtime
Android: Use
```
local.properties
```
(gitignored by default) injected via
```
buildConfigField
```
— not
```
.env
```
at runtime
Flutter:
```
flutter_dotenv
```
bundles
```
.env
```
into the app binary. For truly sensitive secrets, use a backend proxy instead of embedding in the mobile app