Skill

hootsuite-security-basics

Apply Hootsuite security best practices for secrets and access control. Use when securing API keys, implementing least privilege access, or auditing Hootsuite security configuration. Trigger with phrases like "hootsuite security", "hootsuite secrets", "secure hootsuite", "hootsuite API key security".

npx claudepluginhub flight505/skill-forge --plugin hootsuite-pack

Tool Access

This skill is limited to using the following tools:

ReadWriteGrep

Preview

| Credential | Scope | Rotation |

SKILL.md

Similar Skills

cache-components

139.3k

Guides Next.js Cache Components and Partial Prerendering (PPR): 'use cache' directives, cacheLife(), cacheTag(), revalidateTag() for caching, invalidation, static/dynamic optimization. Auto-activates on cacheComponents: true.

cache-components

mcp-builder

124.2k

Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).

9 files

anthropics-skills-13

Stats

Parent Repo Stars0

Parent Repo Forks0

Last CommitApr 30, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

hootsuite-security-basics

Hootsuite Security Basics

Credential Inventory

Credential

Scope

Rotation

Client ID

App-level

Never (app identifier)

Client Secret

App-level

Rotate if compromised

Access Token

User session

Auto-expires (~1 hour)

Refresh Token

User session

Rotate on each refresh

Instructions

Step 1: Secure Token Storage

# .env (never commit) HOOTSUITE_CLIENT_ID=app_client_id HOOTSUITE_CLIENT_SECRET=app_secret HOOTSUITE_ACCESS_TOKEN=current_token HOOTSUITE_REFRESH_TOKEN=refresh_token

Step 2: Token Refresh Security

// Always use HTTPS for token exchange // Store refresh tokens encrypted at rest // Rotate refresh tokens on each use (Hootsuite returns new ones) async function secureRefresh(refreshToken: string) { const res = await fetch('https://platform.hootsuite.com/oauth2/token', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'Authorization': `Basic ${Buffer.from(`${process.env.HOOTSUITE_CLIENT_ID}:${process.env.HOOTSUITE_CLIENT_SECRET}`).toString('base64')}`, }, body: new URLSearchParams({ grant_type: 'refresh_token', refresh_token: refreshToken }), }); const tokens = await res.json(); // Store new refresh_token, discard old one return tokens; }

Step 3: Security Checklist

Client secret in secrets vault, never in code

Access tokens never logged or exposed

Refresh tokens stored encrypted

HTTPS for all OAuth requests

Pre-commit hook blocks HOOTSUITE_ credential leaks

Separate OAuth apps for dev/staging/prod

Resources

Next Steps

For production, see hootsuite-prod-checklist.