Skills
.Work. You
Rest

secret-hygiene

Official

Securely store secrets and replace with refs.

Legal & Compliance#encryption#privacy#secret#secret-store#ctox#memory-rewrite
Authormetric-space-ai
Version1.0.0
Installs0

System Documentation

What problem does it solve?

Only the encrypted SQLite-backed secret store and related runtime records count as durable secret knowledge. Workspace notes or copied values do not count as durable knowledge by themselves.

Use this skill whenever a raw secret appears in active CTOX context.

This skill does not decide by kernel heuristic that some string is a secret. The skill makes that judgment from context, then uses explicit kernel primitives to protect the value.

Core Rules

  • Do not leave raw secrets in ordinary follow-up messages, ticket notes, or knowledge entries.
  • Store the value in the encrypted CTOX secret store.
  • Rewrite conversation memory to a stable reference handle when the raw literal already entered LCM/continuity.
  • Keep the replacement handle human-readable enough for operators to understand what happened.

Primary Command

Prefer the one-step intake path:

ctox secret intake --scope "<scope>" --name "<name>" --value "<secret>" --description "<text>" --metadata-json '<json>' --db "<path-to-ctox.sqlite3>" --conversation-id "<id>" --match-text "<secret>" [--label "<human label>"]

This stores the secret in the encrypted SQLite secret store and rewrites the specified conversation memory to [secret-ref:<scope>/<name>].

Fallback Commands

If the secret is already stored, rewrite memory only:

ctox secret memory-rewrite --db "<path-to-ctox.sqlite3>" --conversation-id "<id>" --scope "<scope>" --name "<name>" --match-text "<secret>" [--label "<human label>"]

If the secret was supplied outside the current conversation and no rewrite is needed:

ctox secret put --scope "<scope>" --name "<name>" --value "<secret>" --description "<text>" --metadata-json '<json>'

Operating Pattern

  1. Decide whether the pasted value is actually a secret that needs protection.
  2. Choose a stable scope and name.
  3. Store it through ctox secret intake when the current conversation already contains the literal.
  4. Confirm that future work refers only to the secret handle.
  5. Use ctox secret get only for bounded local execution steps that truly require the raw value.

Boundaries

  • Do not invent fake secret rotations or claim revocation if none happened.
  • Do not silently rewrite unrelated text.
  • Do not expose the raw secret again after the rewrite step.

Quick Start

Store the detected secret in the encrypted secret store using the intake flow and replace the memory with a stable secret handle.

Dependency Matrix

Required Modules

None required

Components

Standard package

💻 Claude Code Installation

Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.

Please help me install this Skill:
Name: secret-hygiene
Download link: https://github.com/metric-space-ai/ctox/archive/main.zip#secret-hygiene

Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
View Source Repository

Agent Skills Search Helper

Install a tiny helper to your Agent, search and equip skill from 471,000+ vetted skills library on demand.