From 1faf9d202054257b2b2808c9adcfd3ac682c7946 Mon Sep 17 00:00:00 2001
From: Trevin Chow <trevin@bigcartel.com>
Date: Tue, 27 Jan 2026 21:19:59 -0800
Subject: [PATCH 1/2] skill-creator: add secrets handling guidance
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add explicit rule that skills must never hardcode secrets automatically.
Include config → env → error lookup pattern for scripts.
---
 skills/skill-creator/SKILL.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/skills/skill-creator/SKILL.md b/skills/skill-creator/SKILL.md
index 4680d5e2d..c72195e0f 100644
--- a/skills/skill-creator/SKILL.md
+++ b/skills/skill-creator/SKILL.md
@@ -98,6 +98,16 @@ Files not intended to be loaded into context, but rather used within the output
 - **Use cases**: Templates, images, icons, boilerplate code, fonts, sample documents that get copied or modified
 - **Benefits**: Separates output resources from documentation, enables Codex to use files without loading them into context
 
+#### Secrets & Credentials
+
+**NEVER hardcode secrets automatically**—only if user explicitly requests it. Scripts must look up secrets dynamically: config → env → error.
+
+```bash
+VALUE=$(jq -r '.skills.entries["skill-name"].apiKey // empty' ~/.clawdbot/clawdbot.json)
+VALUE="${VALUE:-$SKILL_NAME_API_KEY}"
+[[ -z "$VALUE" ]] && echo "Error: Set skills.entries.skill-name.apiKey in config or SKILL_NAME_API_KEY env var" && exit 1
+```
+
 #### What to Not Include in a Skill
 
 A skill should only contain essential files that directly support its functionality. Do NOT create extraneous documentation or auxiliary files, including:

From 1e0181c7cd8531889135744fc885566e1f3095d2 Mon Sep 17 00:00:00 2001
From: Trevin Chow <trevin@bigcartel.com>
Date: Wed, 28 Jan 2026 12:06:49 -0800
Subject: [PATCH 2/2] fix(skills): distinguish native vs external tool
 credential storage

---
 skills/skill-creator/SKILL.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/skills/skill-creator/SKILL.md b/skills/skill-creator/SKILL.md
index c72195e0f..f00764b08 100644
--- a/skills/skill-creator/SKILL.md
+++ b/skills/skill-creator/SKILL.md
@@ -100,14 +100,17 @@ Files not intended to be loaded into context, but rather used within the output
 
 #### Secrets & Credentials
 
-**NEVER hardcode secrets automatically**—only if user explicitly requests it. Scripts must look up secrets dynamically: config → env → error.
+**NEVER hardcode secrets automatically.** Look up secrets dynamically based on skill type:
 
+**Clawdbot-native skills** (no external CLI): Use config → env → error:
 ```bash
 VALUE=$(jq -r '.skills.entries["skill-name"].apiKey // empty' ~/.clawdbot/clawdbot.json)
 VALUE="${VALUE:-$SKILL_NAME_API_KEY}"
 [[ -z "$VALUE" ]] && echo "Error: Set skills.entries.skill-name.apiKey in config or SKILL_NAME_API_KEY env var" && exit 1
 ```
 
+**Skills wrapping external tools**: Source from `~/.config/<tool>/` (XDG convention). If the tool works standalone without Clawdbot, its credentials belong outside Clawdbot's config.
+
 #### What to Not Include in a Skill
 
 A skill should only contain essential files that directly support its functionality. Do NOT create extraneous documentation or auxiliary files, including: