From 1faf9d202054257b2b2808c9adcfd3ac682c7946 Mon Sep 17 00:00:00 2001
From: Trevin Chow <trevin@bigcartel.com>
Date: Tue, 27 Jan 2026 21:19:59 -0800
Subject: [PATCH] skill-creator: add secrets handling guidance
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add explicit rule that skills must never hardcode secrets automatically.
Include config → env → error lookup pattern for scripts.
---
 skills/skill-creator/SKILL.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/skills/skill-creator/SKILL.md b/skills/skill-creator/SKILL.md
index 4680d5e2d..c72195e0f 100644
--- a/skills/skill-creator/SKILL.md
+++ b/skills/skill-creator/SKILL.md
@@ -98,6 +98,16 @@ Files not intended to be loaded into context, but rather used within the output
 - **Use cases**: Templates, images, icons, boilerplate code, fonts, sample documents that get copied or modified
 - **Benefits**: Separates output resources from documentation, enables Codex to use files without loading them into context
 
+#### Secrets & Credentials
+
+**NEVER hardcode secrets automatically**—only if user explicitly requests it. Scripts must look up secrets dynamically: config → env → error.
+
+```bash
+VALUE=$(jq -r '.skills.entries["skill-name"].apiKey // empty' ~/.clawdbot/clawdbot.json)
+VALUE="${VALUE:-$SKILL_NAME_API_KEY}"
+[[ -z "$VALUE" ]] && echo "Error: Set skills.entries.skill-name.apiKey in config or SKILL_NAME_API_KEY env var" && exit 1
+```
+
 #### What to Not Include in a Skill
 
 A skill should only contain essential files that directly support its functionality. Do NOT create extraneous documentation or auxiliary files, including: