secret-capturelisted

# Secret capture Invoke this skill whenever you need the user to supply a credential. Never ask the user to paste a secret into chat or the terminal — use this skill instead. ## When to use - Onboarding a new MCP, integration, or service that needs an API key - Rotating an existing credential - Creating a new n8n credential, Cloudflare Worker secret, GitHub secret, Coolify env var - Storing a personal API key the user will consume from their shell / agents (→ 1Password) - Any time mid-task you realize "I need a credential here" ## Decision rule — which destination One secret, one home. Pick based on who consumes the value: - **User consumes it** (terminal, agents, MCPs, HTTP calls from the user's machine) → `1password` - **System consumes it natively** (n8n runs the workflow that uses this token, GitHub Actions runs the workflow, Cloudflare Worker runtime reads it, Coolify app reads the env var) → the matching target adapter Never store the same secret in two places. ## Invocation The skill is a bash script. Invoke via the Bash tool: ```bash bash ~/.claude/skills/secret-capture/scripts/capture.sh --target <target> [target-flags] [--rotate] [--expect <shape>] ``` You pass only the destination metadata. You never pass, read, or handle the value. The script opens a hidden-input dialog, captures the value, pipes it directly to the destination, and returns a reference on stdout. ## Targets ### `1password` ```bash bash capture.sh --target 1password \ --vault <vault-