Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From github-it-admin
Run the OSEC1 parity verifier (npm run verify:secrets) plus a drift report by secret age. Use to confirm gh-org/repo/local plane parity and identify secrets stale enough to warrant rotation under the OSEC2 quarterly policy.
npx claudepluginhub subagentceo/knowledge-engineering --plugin github-it-adminHow this skill is triggered — by the user, by Claude, or both
Slash command
/github-it-admin:secret-auditThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- After every rotation (sanity check).
Guides technical evaluation of code review feedback: read fully, restate for understanding, verify against codebase, respond with reasoning or pushback before implementing.
Share bugs, ideas, or general feedback.
monitors/monitors.json secret-age-watch).bash "${CLAUDE_PLUGIN_ROOT}/skills/secret-audit/scripts/audit.sh"
Steps:
npm run verify:secrets from the project root. Exits non-zero on parity violations.gh secret list --json name,updatedAt for both org and repo.${user_config.secret_max_age_days} (default 90).This skill is READ-ONLY. CREATE/UPDATE/DELETE are out of scope — use the vendor-specific skills (macos-it-admin/skills/*) or claude-oauth-rotate for those.
npm run verify:secrets is not available (OSEC1 not merged), abort with a clear message — don't fake "parity OK".gh secret list returns empty for org, distinguish "no scope access" from "no secrets exist".| ID | Outcome | Verified by |
|---|---|---|
| OIT2-aud-1 | Wraps npm run verify:secrets (OSEC1 verifier) | conformance test greps script body |
| OIT2-aud-2 | Computes age in days from updatedAt and flags >= secret_max_age_days | same test |
| OIT2-aud-3 | Skill is read-only | SKILL.md has no gh secret set or wrangler secrets-store secret create reference |
@cite scripts/verify-secrets-parity.ts (OSEC1) @cite docs/data/secrets-parity.json @cite docs/operator-runbooks/secret-rotation.md