moai-security-secrets

This Skill is documentation and sample code for secret management and rotation, referencing well-known tools (HashiCorp Vault, Sealed Secrets). I found no evidence of hidden exfiltration, obfuscated payloads, or instructions to send secrets to unknown third-party domains. The primary risks are supply-chain hygiene (download-and-execute patterns without checksum/GPG verification), incomplete sample code that could cause integrators to implement insecure message queue or notification backends, and operational risks (deletion of prior secret versions if rotation logic is misapplied). Overall the content appears legitimate and aligned with its stated purpose, but operators should: verify downloads (checksums/signatures), ensure message queue and alerting channels enforce ACLs and encryption, use least-privilege Vault tokens, and review the example wiring for undefined components before deploying.