secrets-management

by wshobson

The secrets-management skill helps teams secure CI/CD secrets with Vault, AWS Secrets Manager, Azure Key Vault, Google Secret Manager, and native platform options. Use it to plan runtime secret retrieval, rotation, and least-privilege Access Control for pipelines.

Stars32.6k

Favorites0

Comments0

AddedMar 30, 2026

CategoryAccess Control

Install Command

npx skills add wshobson/agents --skill secrets-management

Curation Score

This skill scores 70/100, which means it is listable and likely helpful for agents handling CI/CD secret storage and rotation, but directory users should expect a documentation-only guide rather than a tightly operational skill with installable helpers or explicit decision rules.

70/100

Strengths

Clear triggerability: the frontmatter and 'When to Use' section explicitly cover credentials, certificates, rotation, and least-privilege CI/CD use cases.
Provides real workflow content across multiple platforms, including Vault setup and CI/CD integration examples rather than placeholder text.
Gives comparative tool coverage for Vault, AWS Secrets Manager, Azure Key Vault, and Google Secret Manager, which helps agents map the skill to different cloud environments.

Cautions

Operational guidance appears mostly example-driven and lacks support files, scripts, or reusable rules that would reduce execution guesswork.
No install command or companion resources are provided, so adoption depends on users interpreting the markdown correctly and filling in environment-specific details.

Security Ci Cd Cicd Vault Aws Azure Gcp

Overview

Overview of secrets-management skill

What the secrets-management skill does

The secrets-management skill helps an agent design and implement safer secret handling for CI/CD pipelines. It focuses on replacing hardcoded credentials with managed secret stores such as HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, Google Secret Manager, or native platform secret features.

Who should use this secrets-management skill

This secrets-management skill is best for teams building or reviewing delivery pipelines that touch API keys, database passwords, certificates, cloud credentials, or other sensitive configuration. It is especially useful for platform engineers, DevOps teams, security-minded app teams, and anyone adding Access Control to automation workflows.

The real job-to-be-done

Most users do not just want a list of secret tools. They need a workable path from “our pipeline has sensitive values” to “our CI/CD jobs fetch the right secret at runtime with least privilege, rotation, and auditability.” This skill is valuable when you want implementation direction, not just security principles.

What makes this skill different from a generic prompt

A generic prompt often stops at broad advice like “use a secret manager.” The secrets-management skill is more actionable because it organizes the problem around actual CI/CD use cases: secret storage, runtime retrieval, rotation, and provider-specific options. It also gives concrete Vault setup and GitHub Actions patterns, which helps an agent produce usable first drafts faster.

Best-fit and misfit

Use secrets-management when your main question is how to secure delivery pipelines and automation. It is a weaker fit if you need deep product-specific production architecture for one platform only, legal/compliance interpretation, or a full enterprise secret governance model. In those cases, use this skill as a starting point, then add provider documentation and internal policy constraints.

How to Use secrets-management skill

Install context for secrets-management

The upstream skill does not include its own install command in SKILL.md, so directory users typically add it from the repository skill path supported by their agent tooling. If you are using a skills-compatible CLI, install from the repository that contains plugins/cicd-automation/skills/secrets-management, then confirm the skill is available before prompting. If your environment does not support direct skill installs, copy the skill content into your agent’s skill or system instruction layer.

Read this file first

Start with plugins/cicd-automation/skills/secrets-management/SKILL.md. This skill is self-contained, and the repository signals show no extra README.md, resources/, rules/, or helper scripts for this skill. That means most of the usable guidance is in the main skill file, so reading that first gives you nearly the full operating context.

What input the skill needs from you

The secrets-management skill works best when you provide:

your CI/CD platform, such as GitHub Actions
your cloud or runtime environment
the secret types involved
whether you need rotation
your current Access Control model
whether you already use Vault or a cloud-native secret manager
deployment constraints, such as self-hosted runners or regulated environments

Without that context, the agent will likely produce a generic comparison instead of an implementation-ready plan.

Turn a rough goal into a usable prompt

Weak goal:

“Help me manage secrets in CI.”

Stronger prompt:

“Use the secrets-management skill to propose a GitHub Actions design for deploying an app to AWS without long-lived cloud keys. Recommend whether to use AWS Secrets Manager, GitHub environment secrets, or Vault. Include secret retrieval flow, Access Control boundaries, rotation approach, and example workflow YAML.”

The stronger version tells the agent what decision to make, what systems are in scope, and what output format you need.

Best prompt structure for secrets-management usage

A high-quality secrets-management usage prompt usually includes:

current platform
target secret store
threat or risk to reduce
runtime retrieval point
Access Control requirements
output format you want

Example:

“Using the secrets-management skill, design a migration from repo-level secrets to Vault for GitHub Actions. We need least-privilege access per environment, auditability, and quarterly rotation. Show the architecture, sample Vault paths, policy approach, and a starter workflow.”

Practical workflow to follow

A reliable workflow is:

identify secrets and where they are currently stored
choose the secret backend that matches your platform and operations model
define Access Control boundaries by app, environment, and pipeline stage
design runtime retrieval instead of build-time hardcoding
add rotation and revocation expectations
generate example pipeline config
review for over-scoped permissions and secret sprawl

This sequence matters because users often jump straight to YAML before deciding secret ownership and access boundaries.

Tool choice guidance the skill can support

The skill covers multiple backends, but adoption usually hinges on operating burden:

HashiCorp Vault: best when you need centralized control, dynamic secrets, and strong audit/access policy features
AWS Secrets Manager: best when your workloads already live mostly in AWS
Azure Key Vault: good fit for Azure-centric teams needing RBAC integration
Google Secret Manager: good fit for GCP-native environments
native CI/CD secrets: simplest, but usually less flexible for rotation, dynamic credentials, and broader governance

This is where the secrets-management skill helps most: narrowing the decision based on pipeline reality rather than tool popularity.

Example requests that get strong outputs

Ask for outputs like:

migration plan from hardcoded env vars to managed secrets
GitHub Actions workflow that retrieves secrets at runtime
Vault path and policy design for multiple environments
rotation strategy for database passwords or API tokens
comparison of cloud-native secret stores for your current stack

These requests fit the repository content better than broad asks like “teach me all secret management.”

What the skill can produce well

The secrets-management guide is strongest at:

CI/CD-focused secret handling patterns
provider selection at a practical level
Vault setup examples
runtime retrieval patterns in pipelines
least-privilege and audit-oriented design direction

It is less likely to give production-perfect commands for every provider unless you also supply your exact environment.

Repository details worth knowing before adoption

This skill is compact and focused. That is good for fast invocation, but it also means there are few embedded guardrails, no helper scripts, and limited implementation scaffolding beyond examples. Expect to use it as a planning and drafting accelerator, then verify syntax and provider-specific security details against official docs.

secrets-management skill FAQ

Is the secrets-management skill good for beginners?

Yes, if you already understand what a CI/CD pipeline is and why secrets should not live in source control. The skill gives a practical starting structure. Absolute beginners may still need extra help understanding IAM, Vault auth methods, or environment-level Access Control concepts.

When should I use this instead of a normal prompt?

Use the secrets-management skill when you want the agent to stay anchored on CI/CD secret handling rather than drifting into generic security advice. It improves prompt discipline, especially for install and design tasks like choosing between Vault and a cloud-native manager.

Does secrets-management install anything for me?

No. The skill provides guidance and examples; it is not an installer or deployment automation package. For secrets-management install decisions, treat it as a planning layer that helps you choose architecture, config patterns, and next implementation steps.

Is this mainly for Vault or for all secret backends?

It covers several backends, but Vault receives the most concrete implementation detail in the source content. If your environment is AWS-, Azure-, or GCP-first, the skill still helps with decision framing, but you may need to ask for provider-specific examples explicitly.

Is this useful for Access Control work?

Yes. secrets-management for Access Control is one of the strongest use cases because secure secret retrieval depends on scoping who or what can fetch each secret. Ask the agent to map secrets by environment, workload, and role so the output includes least-privilege boundaries instead of only storage advice.

When is this skill the wrong choice?

Skip it if your need is mainly:

application-level secret encryption inside code
compliance policy drafting without implementation work
advanced vendor-specific production hardening with no CI/CD angle
a turnkey secret platform deployment runbook

In those cases, use a more specialized skill or official platform docs.

How to Improve secrets-management skill

Give better system context upfront

The fastest way to improve secrets-management output quality is to provide the surrounding system:

CI/CD platform
deployment target
secret consumers
environments
existing identity provider
Access Control requirements
rotation expectations

This prevents the agent from producing a generic “use a secret manager” answer.

Ask for architecture plus concrete config

Do not ask only for recommendations. Ask for:

decision rationale
secret path or naming layout
policy boundaries
runtime retrieval flow
example pipeline config
migration steps

That combination turns the secrets-management skill from advisory output into implementation-ready output.

Common failure mode: vague secret inventory

If you say only “we have some secrets,” the result will be weak. Instead, name the secret classes:

cloud credentials
database passwords
TLS certificates
third-party API keys
signing keys

Different secret types change rotation strategy, retrieval timing, and backend choice.

Common failure mode: missing identity model

Many bad outputs come from not stating how the pipeline authenticates. For better secrets-management usage, specify whether jobs use OIDC, static credentials, workload identity, service principals, or Vault auth methods. Secret retrieval design is tightly coupled to identity.

Improve prompts with constraints that matter

Useful constraints include:

no long-lived credentials
self-hosted runners only
multi-environment separation
audit log retention requirements
cloud lock-in preferences
need for automatic rotation
requirement to avoid developer access to production secrets

These constraints force more realistic output and better tool selection.

Ask the agent to compare options explicitly

A good way to improve the secrets-management skill is to request a comparison table with your context included. Example:

“Compare Vault, AWS Secrets Manager, and GitHub environment secrets for our GitHub Actions pipeline, with columns for Access Control granularity, rotation, auditability, operational burden, and migration effort.”

That format makes tradeoffs visible and speeds adoption decisions.

Iterate after the first answer

After the first draft, ask the agent to tighten the design:

remove over-privileged access
replace static credentials with federated auth if possible
separate dev/staging/prod secret paths
add rollback and secret rotation handling
identify secrets that should become dynamic instead of stored

This second pass often adds more value than the first.

Validate examples before production rollout

The skill can accelerate design, but you should still verify:

YAML syntax
provider auth steps
Vault policy syntax
runner environment assumptions
secret rotation hooks
audit log coverage

The skill is best used to reduce guesswork, not to skip security review.

A strong final prompt pattern

For the best output, use a prompt like:

“Use the secrets-management skill to design secure secret handling for our GitHub Actions deployment pipeline. We deploy to AWS, want OIDC-based auth, need separate dev/staging/prod access, quarterly rotation for stored secrets, and no plaintext secrets in repo or workflow files. Recommend the backend, show the secret access model, and provide starter YAML plus a migration checklist.”

That prompt gives the agent enough context to produce a practical secrets-management guide instead of a generic summary.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

azure-identity-py

by microsoft

azure-identity-py helps set up Azure authentication in Python with Microsoft Entra ID. Use it to choose DefaultAzureCredential, managed identity, or service principal auth, configure environment variables, and troubleshoot access control and credential chain issues. Install guidance, usage patterns, and practical setup notes are based on the repo skill file.

Access Control

Favorites 0GitHub 2.2k

django-security

by affaan-m

django-security is a practical guide for hardening Django apps with authentication, authorization, CSRF, XSS, SQL injection prevention, secure cookies, and production settings. It helps developers and reviewers run a focused Security Audit, quickly spot risky config, and apply concrete fixes before deployment.

Security Audit

Favorites 0GitHub 156.1k

detecting-anomalous-authentication-patterns

by mukul975

detecting-anomalous-authentication-patterns helps analyze authentication logs for impossible travel, brute force, password spraying, credential stuffing, and compromised-account activity. Built for Security Audit, SOC, IAM, and incident response workflows with baseline-aware detection and evidence-backed sign-in analysis.

Security Audit

Favorites 0GitHub 0

auditing-kubernetes-cluster-rbac

by mukul975

auditing-kubernetes-cluster-rbac helps audit Kubernetes RBAC for overbroad roles, risky bindings, secret access, and privilege escalation paths. It is built for security audit workflows across EKS, GKE, AKS, and self-managed clusters, with practical guidance for kubectl, rbac-tool, KubiScan, and Kubeaudit.

Security Audit

Favorites 0GitHub 0

auditing-gcp-iam-permissions

by mukul975

auditing-gcp-iam-permissions helps review Google Cloud IAM access for risky bindings, primitive roles, public access, service account exposure, and cross-project paths. This access-control audit skill is built for evidence-driven reviews with gcloud, Cloud Asset, IAM Recommender, and Policy Analyzer.

Access Control

Favorites 0GitHub 0

auditing-aws-s3-bucket-permissions

by mukul975

The auditing-aws-s3-bucket-permissions skill helps you audit AWS S3 buckets for public exposure, overly permissive ACLs, weak bucket policies, and missing encryption. Built for Security Audit workflows, it supports a repeatable least-privilege review with AWS CLI and boto3-oriented guidance, plus practical install and usage notes.

Security Audit

Favorites 0GitHub 0

configuring-microsegmentation-for-zero-trust

by mukul975

The configuring-microsegmentation-for-zero-trust skill helps design and validate least-privilege workload-to-workload policies for zero trust environments. Use this guide to segment applications, reduce lateral movement, and turn observed traffic into enforceable rules for Security Audit and operations.

Security Audit

Favorites 0GitHub 0

security-scan

by affaan-m

The security-scan skill audits your Claude Code .claude/ configuration for secrets, risky MCP setup, injection-prone instructions, dangerous bypass flags, and weak agent or hook definitions using AgentShield. Use it for repeatable security checks before committing or onboarding.

Security Audit

Favorites 0GitHub 156.3k

laravel-security

by affaan-m

The laravel-security skill is a practical Laravel security checklist for authn/authz, validation, CSRF, mass assignment, file uploads, secrets, rate limiting, and secure deployment. Use it for audits, feature reviews, and hardening work in Laravel apps.

Security Audit

Favorites 0GitHub 156.2k

git-guardrails-claude-code

by mattpocock

git-guardrails-claude-code adds a PreToolUse hook to block dangerous git commands before Claude Code runs them. Install it to prevent destructive pushes, hard resets, forced cleans, and branch deletes, with scoped control for this project or all projects. Useful when you need git-guardrails-claude-code for Access Control boundaries in Claude Code.

Access Control

Favorites 0GitHub 66k

k8s-security-policies

by wshobson

k8s-security-policies helps teams draft Kubernetes NetworkPolicy, Pod Security Standards labels, and RBAC patterns using repo-backed templates and references for hardening and audit-ready rollout planning.

Security Audit

Favorites 0GitHub 32.6k

auth-implementation-patterns

by wshobson

auth-implementation-patterns is a practical skill for designing and implementing authentication and authorization patterns, including sessions, JWT, OAuth2/OIDC, RBAC, and access control checks for APIs and apps.

Access Control

Favorites 0GitHub 32.6k

security-and-hardening

by addyosmani

The security-and-hardening skill helps harden application code before release. Use it for user input, auth, sessions, sensitive data, file uploads, webhooks, and external services, with concrete checks like input validation, parameterized queries, output encoding, secure cookies, HTTPS, and secrets handling.

Security Audit

Favorites 0GitHub 18.7k

exploiting-kerberoasting-with-impacket

by mukul975

exploiting-kerberoasting-with-impacket helps authorized testers plan Kerberoasting with Impacket GetUserSPNs.py, from SPN enumeration to TGS ticket extraction, offline cracking, and detection-aware reporting. Use this exploiting-kerberoasting-with-impacket guide for penetration testing workflows with clear install and usage context.

Penetration Testing

Favorites 0GitHub 6.2k

exploiting-idor-vulnerabilities

by mukul975

exploiting-idor-vulnerabilities helps authorized security audits test Insecure Direct Object Reference flaws across APIs, web apps, and multi-tenant systems with cross-session checks, object mapping, and read/write verification.

Security Audit

Favorites 0GitHub 6.2k

detecting-azure-service-principal-abuse

by mukul975

detecting-azure-service-principal-abuse helps detect, investigate, and document suspicious Microsoft Entra ID service principal activity in Azure. Use it for Security Audit, cloud incident response, and threat hunting to review credential changes, admin consent abuse, role assignments, ownership paths, and sign-in anomalies.

Security Audit

Favorites 0GitHub 6.1k