From hootsuite-pack
Applies Hootsuite security best practices for OAuth tokens, secrets storage, refresh logic, and access control checklists. Use when securing API keys or auditing configurations.
How this skill is triggered — by the user, by Claude, or both
Slash command
/hootsuite-pack:hootsuite-security-basicsThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
| Credential | Scope | Rotation |
| Credential | Scope | Rotation |
|---|---|---|
| Client ID | App-level | Never (app identifier) |
| Client Secret | App-level | Rotate if compromised |
| Access Token | User session | Auto-expires (~1 hour) |
| Refresh Token | User session | Rotate on each refresh |
# .env (never commit)
HOOTSUITE_CLIENT_ID=app_client_id
HOOTSUITE_CLIENT_SECRET=app_secret
HOOTSUITE_ACCESS_TOKEN=current_token
HOOTSUITE_REFRESH_TOKEN=refresh_token
// Always use HTTPS for token exchange
// Store refresh tokens encrypted at rest
// Rotate refresh tokens on each use (Hootsuite returns new ones)
async function secureRefresh(refreshToken: string) {
const res = await fetch('https://platform.hootsuite.com/oauth2/token', {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
'Authorization': `Basic ${Buffer.from(`${process.env.HOOTSUITE_CLIENT_ID}:${process.env.HOOTSUITE_CLIENT_SECRET}`).toString('base64')}`,
},
body: new URLSearchParams({ grant_type: 'refresh_token', refresh_token: refreshToken }),
});
const tokens = await res.json();
// Store new refresh_token, discard old one
return tokens;
}
HOOTSUITE_ credential leaksFor production, see hootsuite-prod-checklist.
7plugins reuse this skill
First indexed Jul 10, 2026
Showing the 6 earliest of 7 plugins
npx claudepluginhub ia23a-lachnita/claude-code-plugins-plus-fix-skills --plugin hootsuite-packApplies Hootsuite security best practices for OAuth tokens, secrets storage, refresh logic, and access control checklists. Use when securing API keys or auditing configurations.
Applies Intercom security best practices for token storage, webhook signature verification (HMAC-SHA1), identity verification (HMAC-SHA256), and least-privilege OAuth scopes.
Secures SalesLoft API integrations with OAuth token rotation, webhook signature verification, secret storage, and minimal scopes.