romtuck/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

skill-creator: add secrets handling guidance

Browse Source 
Add explicit rule that skills must never hardcode secrets automatically.
Include config → env → error lookup pattern for scripts.
This commit is contained in:
Trevin Chow 2026-01-27 21:19:59 -08:00 committed by Trevin Chow
parent 4583f88626
commit 1faf9d2020
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
skills/skill-creator/SKILL.md
View File

@ -98,6 +98,16 @@ Files not intended to be loaded into context, but rather used within the output
- **Use cases**: Templates, images, icons, boilerplate code, fonts, sample documents that get copied or modified
- **Benefits**: Separates output resources from documentation, enables Codex to use files without loading them into context
#### Secrets & Credentials
**NEVER hardcode secrets automatically**—only if user explicitly requests it. Scripts must look up secrets dynamically: config → env → error.
```bash
VALUE=$(jq -r '.skills.entries["skill-name"].apiKey // empty' ~/.clawdbot/clawdbot.json)
VALUE="${VALUE:-$SKILL_NAME_API_KEY}"
[[ -z "$VALUE" ]] && echo "Error: Set skills.entries.skill-name.apiKey in config or SKILL_NAME_API_KEY env var" && exit 1
```
#### What to Not Include in a Skill
A skill should only contain essential files that directly support its functionality. Do NOT create extraneous documentation or auxiliary files, including: