← ClaudeAtlas

secret-hygienelisted

This skill activates when detecting hardcoded strings that look like API keys or credentials, creating .env files, referencing process.env or os.environ without Infisical, or working with configuration files that contain sensitive values. It enforces secret hygiene practices and recommends moving secrets to Infisical.
smicolon/ai-kit · ★ 3 · AI & Automation · score 64
Install: claude install-skill smicolon/ai-kit
# Secret Hygiene Patterns for detecting, preventing, and remediating hardcoded secrets in codebases. ## Detection Patterns ### Common Secret Patterns Watch for these patterns in code: ``` # AWS AKIA[0-9A-Z]{16} # AWS Access Key ID [0-9a-zA-Z/+]{40} # AWS Secret Access Key # API Keys sk_live_[0-9a-zA-Z]{24,} # Stripe secret key sk_test_[0-9a-zA-Z]{24,} # Stripe test key SG\.[0-9A-Za-z\-_]{22}\.[0-9A-Za-z\-_]{43} # SendGrid xoxb-[0-9]{11}-[0-9]{11}-[0-9a-zA-Z]{24} # Slack bot token # Tokens ghp_[0-9a-zA-Z]{36} # GitHub personal access token glpat-[0-9a-zA-Z\-_]{20} # GitLab personal access token eyJ[A-Za-z0-9-_]+\.eyJ[A-Za-z0-9-_]+ # JWT token # Database postgres://.*:.*@ # PostgreSQL connection string mysql://.*:.*@ # MySQL connection string mongodb(\+srv)?://.*:.*@ # MongoDB connection string redis://.*:.*@ # Redis connection string # Private Keys -----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY----- -----BEGIN PGP PRIVATE KEY BLOCK----- ``` ### When to Flag Flag code that contains: - String literals matching secret patterns above - Hardcoded connection strings with credentials - Base64-encoded values assigned to `secret`, `key`, `token`, or `password` variables - Configuration files with inline credentials ## Remediation ### Step 1: Move Secret to Infisical ```bash # Add the secret to Infisical infisica