Skill

secrets-management

Use this skill when the user asks to "manage secrets", "read a secret", "write a secret", "list secrets", "delete a secret", "create a KV engine", "enable secrets engine", or any task involving HashiCorp Vault secret storage.

npx claudepluginhub pzharyuk/ai-claude-plugins --plugin hashicorp-vault

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Use the `hashicorp-vault` MCP server tools to manage secrets for the user's Vault instance.

Supporting Assets

references/kv-engines.md

SKILL.md

Similar Skills

evm-token-decimals

173.8k

Prevents silent decimal mismatch bugs in EVM ERC-20 tokens via runtime decimals lookup, chain-aware caching, bridged-token handling, and normalization. For DeFi bots, dashboards using Python/Web3, TypeScript/ethers, Solidity.

everything-claude-code

Stats

Parent Repo Stars0

Parent Repo Forks0

Last CommitMar 23, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Vault Secrets Management

Use the hashicorp-vault MCP server tools to manage secrets for the user's Vault instance.

Workflow

Listing secrets

If the user hasn't specified a mount, call vault_list_mounts to show available secrets engines.

Call vault_kv_list (for KV v2) or vault_kv1_list (for KV v1) with the mount and optional path.

Present the list of keys clearly.

Reading a secret

Determine whether the engine is KV v1 or v2 (check mounts if unsure).

For KV v2: call vault_kv_read with mount, path, and optional version.

For KV v1: call vault_kv1_read with mount and path.

Present the key-value pairs. Never log or echo secrets unnecessarily.

Writing a secret

Confirm the mount, path, and key-value data.

For KV v2: call vault_kv_write. Use cas for check-and-set if updating existing secrets.

For KV v1: call vault_kv1_write.

Confirm success and show the created/updated version.

Deleting a secret

Always show the secret path and ask for explicit confirmation.

For KV v2 soft delete: call vault_kv_delete (data can be recovered with vault_kv_undelete).

For permanent delete: call vault_kv_metadata_delete (destroys all versions).

For KV v1: call vault_kv1_delete (permanent).

Managing secrets engines

vault_list_mounts — see all mounted engines.

vault_enable_engine — mount a new engine (specify type and options like { version: "2" } for KV v2).

vault_disable_engine — unmount an engine (destroys all data; always confirm first).

vault_tune_engine — adjust TTLs and description.

Best Practices

Default to KV v2 for new engines (supports versioning, soft delete, metadata).

Use cas (check-and-set) when updating critical secrets to prevent overwrites.

Never display secret values unless the user explicitly asks to read them.

When creating a new KV engine, use: vault_enable_engine with type: "kv" and options: { version: "2" }.

Reference

See references/kv-engines.md for detailed KV v1 vs v2 differences.