Credential Handling Safety Reviewer

Review scripts and docs for safer handling of passwords, tokens, keys, and sensitive values.

Install
cmdop skills install agensi-credential-handling-safety-reviewer

Credential Handling Safety Reviewer is a skill that performs defensive review of scripts, runbooks, and configuration notes to identify risky practices around passwords, API tokens, keys, and other sensitive values. It works only with redacted or synthetic examples — it does not collect, validate, store, transmit, or request live credentials, recovery keys, or private customer data.

The skill checks for sensitive values embedded in scripts, tickets, documentation, or config snippets. It identifies variable and prompt patterns that could surface in shell history, process listings, log output, or temporary files. It also evaluates keychain and secret-store assumptions present in redacted examples, and provides token lifecycle notes that cover scope, ownership, expiration, rotation, and revocation planning. Guidance on support log cleanup is included, with attention to preserving troubleshooting value alongside reducing exposure.

Output from a review includes a hygiene verdict, redaction notes, safer handling patterns, a token lifecycle checklist, and peer-review remediation notes that a developer can act on directly. This makes the skill useful during code review, runbook authoring, or incident post-mortems where credential hygiene needs a structured pass. It is not a secrets scanner that runs against live systems or production vaults, and it does not validate or execute credentials in any environment.

Use cases

  • Review a deployment script before merge to check whether credentials are passed unsafely via environment variables or command-line flags
  • Audit a runbook for patterns that may expose tokens in shell history or process listings
  • Check configuration snippets in internal docs for hardcoded sensitive values
  • Generate a token lifecycle checklist covering scope, expiration, rotation, and revocation for a new API integration
  • Produce peer-review remediation notes for a pull request that touches secret handling
  • Get support log cleanup guidance that removes sensitive values while keeping diagnostic information

When to use it

  • When reviewing scripts, runbooks, or docs that handle passwords, tokens, or keys using redacted or synthetic examples
  • During code review or runbook authoring to catch credential hygiene issues before deployment
  • When preparing post-incident reports that reference credential handling steps
  • When onboarding a new integration and needing a structured token lifecycle checklist

When not to use it

  • When live credentials need to be validated, rotated, or stored — this skill does not interact with live secrets
  • When a production secrets vault or secrets manager needs direct integration or scanning
  • When automated static analysis of a full codebase at CI pipeline scale is required
  • When the input contains real passwords, tokens, or private tenant data — redacted or synthetic examples are required