Credential Handling Safety Reviewer is a skill that performs defensive review of scripts, runbooks, and configuration notes to identify risky practices around passwords, API tokens, keys, and other sensitive values. It works only with redacted or synthetic examples — it does not collect, validate, store, transmit, or request live credentials, recovery keys, or private customer data.
The skill checks for sensitive values embedded in scripts, tickets, documentation, or config snippets. It identifies variable and prompt patterns that could surface in shell history, process listings, log output, or temporary files. It also evaluates keychain and secret-store assumptions present in redacted examples, and provides token lifecycle notes that cover scope, ownership, expiration, rotation, and revocation planning. Guidance on support log cleanup is included, with attention to preserving troubleshooting value alongside reducing exposure.
Output from a review includes a hygiene verdict, redaction notes, safer handling patterns, a token lifecycle checklist, and peer-review remediation notes that a developer can act on directly. This makes the skill useful during code review, runbook authoring, or incident post-mortems where credential hygiene needs a structured pass. It is not a secrets scanner that runs against live systems or production vaults, and it does not validate or execute credentials in any environment.