一键导入
secret-hygiene
Practical rules for keeping API keys, PATs, and signed request material out of the repo, logs, and artifacts.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Practical rules for keeping API keys, PATs, and signed request material out of the repo, logs, and artifacts.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Use the pinned external CocoIndex Code MCP workflow for broad repository routing, then prove exact candidates with rg and direct file reads.
Bound repository context reads and semantic-search output without weakening source, test, or evidence verification.
Choose staged contract tests that catch partial AI-generated fixes across models, data, risk, execution ownership, and CLI/Windows parity.
Keep concise user docs and machine-readable model evidence synchronized with real behavior without losing provenance or caveats.
Apply four anti-error coding principles plus this repository's stricter financial-evidence, safety, and single-session rules.
Research the existing implementation, tests, primary technical sources, and financial rationale before adding trading code or dependencies.
| name | secret-hygiene |
| description | Practical rules for keeping API keys, PATs, and signed request material out of the repo, logs, and artifacts. |
| origin | repo-local skill inspired by ZMB-UZH/omero-docker-extended env-contract-reviewer |
Use this skill any time secrets enter the session — user-supplied API keys, Git PATs, environment variables, or captured HTTP samples.
_redact_request_url before display.data/: persisted JSON uses RuntimeConfig.public_dict() for any embedded runtime snapshot."fake-api-key", "fake-secret"). Never commit real testnet credentials even if they are "only" testnet.getpass.getpass or from an env var you control. Do not splice it into argv or subprocess command lines.tools/push_with_pat.py — the PAT is served over a socket to a scoped GIT_ASKPASS, never written to a file, remote URL, or credential.helper.git remote -v should not contain the PAT. ~/.git-credentials should not exist (or should not mention github.com with the PAT).BINANCE_BASE_URL, BINANCE_SPOT_BASE_URL, BINANCE_FUTURES_BASE_URL are advertised overrides. Any new env var you read:
.env.example entry..strip()) and treated as untrusted input.git diff --cached | grep -EiI 'ghp_|ghs_|github_pat_|AKIA|sk-[A-Za-z0-9]{20,}|-----BEGIN .* PRIVATE KEY-----'
git diff --cached | grep -E 'api_key|api_secret' | grep -v '<redacted>\|fake-\|BLANK'
A hit on either grep is a blocker.