secrets-management
Facilitates secure credential management in VS Code using SecretStorage API, ensuring safe token storage and lifecycle management.
Install this skill
Security score
The secrets-management skill was audited on Mar 1, 2026 and we found 47 security issues across 4 threat categories, including 6 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 163 | `${SERVICE} API Key not configured. Set your API key to use ${FEATURE}.`, |
Template literal with variable interpolation in command context
| 227 | | Logging actual tokens | Use `console.log(\`Migrated \${name}\`)` without value | |
Template literal with variable interpolation in command context
| 312 | secrets.push(`${config.envVar}=${value}`); |
Template literal with variable interpolation in command context
| 333 | const section = `\n\n# Alex Secrets Export (auto-generated)\n${secrets.join('\n')}`; |
Template literal with variable interpolation in command context
| 337 | `Exported ${secrets.length} secret(s) to .env` |
Access to .env file
| 14 | - Detect secrets in .env files across workspace |
Access to .env file
| 25 | - User mentions ".env file" or "environment variables" with secret context |
Access to .env file
| 110 | ENV1[.env file] -->|alex.migrateEnvSecrets| SS1[SecretStorage] |
Access to .env file
| 113 | SS2[SecretStorage] -->|alex.exportSecretsToEnv| ENV2[.env file] |
Access to .env file
| 120 | | **Import** | `Alex: Migrate .env to Secrets` | Secure existing plaintext tokens | |
Access to .env file
| 121 | | **Export** | `Alex: Export Secrets to .env` | Enable external tool access | |
Access to .env file
| 128 | | **Copy** | `secretStorage.store(key, process.env.VAR)` | Non-destructive (env var remains) | |
Access to .env file
| 174 | vscode.env.openExternal(vscode.Uri.parse(GET_URL)); |
Access to .env file
| 233 | ### .env File Detection & Migration |
Access to .env file
| 235 | Alex can automatically detect secrets in `.env` files and offer secure migration: |
Access to .env file
| 239 | // Scan workspace for .env files (excludes .env.example, .env.template) |
Access to .env file
| 240 | const envFiles = await vscode.workspace.findFiles('**/.env*', '**/node_modules/**'); |
Access to .env file
| 254 | 1. **Scan**: Find all `.env` files in workspace |
Access to .env file
| 262 | - `Alex: Detect & Migrate .env Secrets` - Scan workspace for .env files |
Access to .env file
| 263 | - `Alex: Export Secrets to .env` - Write SecretStorage tokens to .env for external tool access |
Access to .env file
| 264 | - Quick action button in Welcome panel - "🔍 Detect .env Secrets" |
Access to .env file
| 268 | 🔍 Found 3 potential secret(s) in .env files: |
Access to .env file
| 282 | - ✅ Removes plaintext secrets from `.env` files |
Access to .env file
| 287 | ### Export Secrets to .env (External Tool Access) |
Access to .env file
| 293 | - External tools (Replicate CLI, OpenAI CLI) need env vars or .env |
Access to .env file
| 302 | const envPath = path.join(workspaceFolder.uri.fsPath, '.env'); |
Access to .env file
| 322 | // Read existing .env, replace Alex section |
Access to .env file
| 337 | `Exported ${secrets.length} secret(s) to .env` |
Access to .env file
| 344 | # Source the .env file in PowerShell |
Access to .env file
| 345 | if (Test-Path .env) { |
Access to .env file
| 346 | Get-Content .env | ForEach-Object { |
Access to .env file
| 357 | - ⚠️ Exported .env contains plaintext secrets — add to `.gitignore` |
Access to .env file
| 360 | - ✅ Non-destructive — preserves existing .env content |
Access to .env file
| 380 | - [ ] Command: "Detect & Migrate .env Secrets" |
Access to .env file
| 381 | - [ ] Command: "Export Secrets to .env" |
Access to .env file
| 383 | - [ ] Quick pick: Review detected .env secrets |
Access to .env file
| 402 | - [ ] Verify .env file detection and parsing |
Access to .env file
| 411 | - "Detect secrets in my .env files" |
Access to .env file
| 412 | - "Export my secrets to .env for script access" |
Access to .env file
| 417 | - "How do I update my code after migrating .env secrets?" |
Prompting for password/secret input
| 85 | | **Password input** | Set `password: true` on input boxes | |
Access to system keychain/keyring
| 49 | | **macOS** | Keychain | Keychain Services | |
Access to system keychain/keyring
| 50 | | **Linux** | Secret Service API (libsecret) | OS keyring (GNOME/KDE) | |
Access to system keychain/keyring
| 283 | - ✅ OS-level encryption (Credential Manager, Keychain, Secret Service) |
Access to system keychain/keyring
| 399 | - [ ] Test on macOS (Keychain) |
External URL reference
| 188 | getUrl: 'https://service.example.com/account/tokens', |
External URL reference
| 436 | - [VS Code SecretStorage API](https://code.visualstudio.com/api/references/vscode-api#SecretStorage) |
Install this skill with one command
/learn @fabioc-aloha/secrets-management