feat(skills): add secret-guard skill and core instruction#56
Open
neneaX wants to merge 1 commit into
Open
Conversation
Add a secret-guard skill that lets agents authenticate to APIs and MCP servers without ever seeing secret values. The agent passes credential references (names); a trusted non-LLM broker resolves them from the OS keyring, injects them into the request, scrubs the response, and returns only scrubbed output. - skills/secret-guard/: SKILL.md + keyring_broker.py (resolve-and-inject primary mechanism, discouraged env-injecting exec fallback), registered under the copilot-toolkit collection. - assets/instructions/common/secret-guard.instructions.md: always-on core instruction enforcing authenticate-by-reference and no reading of secret files. - README: document optional skill scripts/ and references/ subfolders. - .gitignore: ignore .venv/ created by the markdown linter. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a secret-guard skill that lets agents authenticate to APIs and MCP servers without ever seeing secret values. The agent passes credential references (names); a trusted non-LLM broker resolves them from the OS keyring, injects them into the request, scrubs the response, and returns only scrubbed output.
What's included
skills/secret-guard/(registered under thecopilot-toolkitcollection)SKILL.md— teaches the reference-only model: never possess a secret value, only pass names.scripts/keyring_broker.py— implements two mechanisms:assets/instructions/common/secret-guard.instructions.md(core,applyTo: '**') — always-on baseline: authenticate by reference, never read secret files, redact values, sanitize subprocess envs.scripts/andreferences/skill subfolders (previously undocumented despite being used by several skills)..gitignore— ignore.venv/created bymake lint-md.Rationale
The naive approach (read
.env, then redact) is self-defeating — you must possess a secret to redact it, and regex redaction is trivially bypassed by encoding. This design instead makes it architecturally impossible for the secret to enter the model's context: a trusted layer does resolve → inject → scrub.Validation
./scripts/validate_collections.sh .✅./tests/test_validate.sh✅./tests/test_install.sh✅make lint-mdon new/changed markdown ✅Notes