Secrets Management Agent Skill
Secrets management — .env safety, platform env vars, secret rotation, CI leak scanning.
The Skill
Full content, every format. Copy it, download it, or install with one command.
---
description: Secrets management — .env safety, platform env vars, secret rotation, CI leak scanning.
homepage: https://yepapi.com/skills/secrets-management
metadata:
tags: [security, secrets, env, configuration]
---
# Secrets Management
## Rules
- Never commit `.env` files — add to `.gitignore` before first commit
- Use platform env vars (Vercel, Railway, Fly.io) for production secrets — never hardcode
- Use Infisical, Doppler, or AWS Secrets Manager for team secret sharing — never Slack/email
- Prefix client-exposed vars with `NEXT_PUBLIC_` or `VITE_` only when intentionally public
- Rotate secrets immediately when exposed — revoke the old key, deploy the new one
- Scan for leaked secrets in CI with `gitleaks` or `trufflehog` before every merge
- Create `.env.example` with dummy values so devs know which vars are needed
\`\`\`gitignore
# .gitignore — always include these
.env
.env.local
.env.production
.env*.local
*.pem
*.key
\`\`\`
\`\`\`yaml
# GitHub Actions — scan for leaked secrets
- name: Scan for secrets
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\`\`\`
\`\`\`ts
// Validate required env vars at startup — fail fast
const requiredEnvVars = ["DATABASE_URL", "JWT_SECRET", "STRIPE_SECRET_KEY"];
for (const key of requiredEnvVars) {
if (!process.env[key]) throw new Error(\`Missing required env var: ${key}\`);
}
\`\`\`
## Avoid
- Committing `.env` to git — even a single commit means the secret is in history forever
- Hardcoding API keys in source code: `const key = "sk_live_..."` — bots scrape GitHub for these
- Putting server secrets in `NEXT_PUBLIC_` vars — they are bundled into client JavaScript
- Sharing secrets over Slack, email, or Notion — use a secrets manager
- Deploying without validating required env vars — silent failures are worse than crashesInstall
Why Use the Secrets Management Skill?
Without this skill, your AI guesses at secrets management patterns. It might hallucinate deprecated APIs, use outdated conventions, or miss best practices entirely. With it, your AI follows a proven ruleset — every suggestion aligns with current standards.
Drop this skill into your project and your AI instantly knows the rules. Better code suggestions, fewer errors, faster shipping.
Try These Prompts
These prompts work better with the Secrets Management skill installed. Your AI knows the context and writes code that fits.
"Set up a secure .env configuration with validation and .env.example for the team"
"Add gitleaks secret scanning to my GitHub Actions CI pipeline"
"Create a startup script that validates all required environment variables are set"
Works Great With
Secrets Management skill — FAQ
It provides rules for .env file safety, platform environment variables, secret rotation workflows, and CI leak scanning with gitleaks. Your AI never hardcodes secrets and follows secure configuration patterns.
Run `npx skills add YepAPI/skills --skill secrets-management` in your project root. This copies the skill file into your repo where your AI coding tool can read it automatically.
Use a secrets manager like Infisical, Doppler, or AWS Secrets Manager. Never share secrets over Slack, email, or Notion. The skill includes patterns for team secret sharing and CI/CD integration.