secure-config-secretslisted
Install: claude install-skill authenticfake/clike
# Secure Config Secrets Skill
## Intent
Generated software must be safe by default.
This skill prevents hardcoded secrets, unsafe defaults, leaked prompts or document content, hidden production endpoints, unrestricted egress, insecure local shortcuts promoted as production behavior, and auth/security claims without evidence.
## Use when
Use this skill when a REQ touches:
- authentication;
- authorization;
- RBAC;
- OIDC/SAML;
- API keys;
- secrets;
- environment variables;
- cloud/on-prem runtime;
- external providers;
- database connections;
- queues;
- object storage;
- AI providers;
- document content;
- logs;
- audit;
- deployment;
- network egress.
## Do not use when
Do not use this skill for pure algorithmic code with no configuration, no I/O, no external calls, no secrets, and no security-sensitive data.
## Required behavior
Generated code must:
- keep secrets in environment/config providers;
- never hardcode credentials, tokens, API keys, private URLs, or passwords;
- provide `.env.example` or equivalent when environment variables are introduced;
- distinguish local-dev defaults from production requirements;
- fail fast on missing production-critical configuration;
- redact sensitive payloads from logs and audit;
- avoid raw prompt logging for AI features unless explicitly allowed;
- keep provider SDKs behind approved boundaries when the plan requires adapters;
- document required configuration and safe defaults.
## Authentication and authorization
When a