npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin gamma-packWant just this skill?
Then install: npx claudepluginhub u/[userId]/[slug]
Implement security best practices for Gamma integration. Use when securing API keys, implementing access controls, or auditing Gamma security configuration. Trigger with phrases like "gamma security", "gamma API key security", "gamma secure", "gamma credentials", "gamma access control".
This skill is limited to using the following tools:
Gamma Security Basics
Overview
Security best practices for Gamma API integration to protect credentials and data.
Prerequisites
- Active Gamma integration
- Environment variable support
- Understanding of secret management
Instructions
Step 1: Secure API Key Storage
// NEVER do this
const gamma = new GammaClient({
apiKey: 'gamma_live_abc123...', // Hardcoded - BAD!
});
// DO this instead
const gamma = new GammaClient({
apiKey: process.env.GAMMA_API_KEY,
});
Environment Setup:
# .env (add to .gitignore!)
GAMMA_API_KEY=gamma_live_abc123...
# Load in application
import 'dotenv/config';
Step 2: Key Rotation Strategy
// Support multiple keys for rotation
const gamma = new GammaClient({
apiKey: process.env.GAMMA_API_KEY_PRIMARY
|| process.env.GAMMA_API_KEY_SECONDARY,
});
// Rotation script
async function rotateApiKey() {
// 1. Generate new key in Gamma dashboard
// 2. Update GAMMA_API_KEY_SECONDARY
// 3. Deploy and verify
// 4. Swap PRIMARY and SECONDARY
// 5. Revoke old key
}
Step 3: Request Signing (if supported)
import crypto from 'crypto';
function signRequest(payload: object, secret: string): string {
const timestamp = Date.now().toString();
const message = timestamp + JSON.stringify(payload);
return crypto
.createHmac('sha256', secret)
.update(message)
.digest('hex');
}
// Usage with webhook verification
function verifyWebhook(body: string, signature: string, secret: string): boolean {
const expected = crypto
.createHmac('sha256', secret)
.update(body)
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expected)
);
}
Step 4: Access Control Patterns
// Scoped API keys (if supported)
const readOnlyGamma = new GammaClient({
apiKey: process.env.GAMMA_API_KEY_READONLY,
scopes: ['presentations:read', 'exports:read'],
});
const fullAccessGamma = new GammaClient({
apiKey: process.env.GAMMA_API_KEY_FULL,
});
// Permission check before operations
async function createPresentation(user: User, data: object) {
if (!user.permissions.includes('gamma:create')) {
throw new Error('Insufficient permissions');
}
return fullAccessGamma.presentations.create(data);
}
Step 5: Audit Logging
import { GammaClient } from '@gamma/sdk';
function createAuditedClient(userId: string) {
return new GammaClient({
apiKey: process.env.GAMMA_API_KEY,
interceptors: {
request: (config) => {
console.log(JSON.stringify({
timestamp: new Date().toISOString(),
userId,
action: `${config.method} ${config.path}`,
type: 'gamma_api_request',
}));
return config;
},
},
});
}
Security Checklist
- API keys stored in environment variables
- .env files in .gitignore
- No keys in source code or logs
- Key rotation procedure documented
- Minimal permission scopes used
- Audit logging enabled
- Webhook signatures verified
- HTTPS enforced for all calls
Error Handling
| Security Issue | Detection | Remediation |
|---|---|---|
| Exposed key | GitHub scanning | Rotate immediately |
| Key in logs | Log audit | Filter sensitive data |
| Unauthorized access | Audit logs | Revoke and investigate |
| Weak permissions | Access review | Apply least privilege |
Resources
Next Steps
Proceed to gamma-prod-checklist for production readiness.
Output
- Configuration files or code changes applied to the project
- Validation report confirming correct implementation
- Summary of changes made and their rationale
Examples
Basic usage: Apply gamma security basics to a standard project setup with default configuration options.
Advanced scenario: Customize gamma security basics for production environments with multiple constraints and team-specific requirements.
Similar Skills
Expert guidance for Next.js Cache Components and Partial Prerendering (PPR). **PROACTIVE ACTIVATION**: Use this skill automatically when working in Next.js projects that have `cacheComponents: true` in their next.config.ts/next.config.js. When this config is detected, proactively apply Cache Components patterns and best practices to all React Server Component implementations. **DETECTION**: At the start of a session in a Next.js project, check for `cacheComponents: true` in next.config. If enabled, this skill's patterns should guide all component authoring, data fetching, and caching decisions. **USE CASES**: Implementing 'use cache' directive, configuring cache lifetimes with cacheLife(), tagging cached data with cacheTag(), invalidating caches with updateTag()/revalidateTag(), optimizing static vs dynamic content boundaries, debugging cache issues, and reviewing Cache Component implementations.
Applies Anthropic's official brand colors and typography to any sort of artifact that may benefit from having Anthropic's look-and-feel. Use it when brand colors or style guidelines, visual formatting, or company design standards apply.
Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.