fix(skills): distinguish native vs external tool credential storage

2026-01-28 12:06:49 -08:00 · 2026-01-28 12:06:49 -08:00 · 1e0181c7cd
commit 1e0181c7cd
parent 1faf9d2020
1 changed files with 4 additions and 1 deletions
--- a/skills/skill-creator/SKILL.md
+++ b/skills/skill-creator/SKILL.md
@ -100,14 +100,17 @@ Files not intended to be loaded into context, but rather used within the output

 #### Secrets & Credentials

-**NEVER hardcode secrets automatically**—only if user explicitly requests it. Scripts must look up secrets dynamically: config → env → error.
+**NEVER hardcode secrets automatically.** Look up secrets dynamically based on skill type:

+**Clawdbot-native skills** (no external CLI): Use config → env → error:
 ```bash
 VALUE=$(jq -r '.skills.entries["skill-name"].apiKey // empty' ~/.clawdbot/clawdbot.json)
 VALUE="${VALUE:-$SKILL_NAME_API_KEY}"
 [[ -z "$VALUE" ]] && echo "Error: Set skills.entries.skill-name.apiKey in config or SKILL_NAME_API_KEY env var" && exit 1
 ```

+**Skills wrapping external tools**: Source from `~/.config/<tool>/` (XDG convention). If the tool works standalone without Clawdbot, its credentials belong outside Clawdbot's config.
+
 #### What to Not Include in a Skill

 A skill should only contain essential files that directly support its functionality. Do NOT create extraneous documentation or auxiliary files, including: