mac-keychain
Mac Keychain
Use this skill to operate on macOS Keychain generic password items.
Scope
- Support
exists,read-meta,set,update,read-secret,reveal-secret, anddelete. - Operate on generic password items only.
- Stop if the request involves certificates, identities, private keys, or broad keychain administration.
Runtime
- Require
macOS,/usr/bin/security, and/bin/zsh. - Use the bundled scripts for deterministic behavior.
- Stop and explain the missing runtime dependency if the scripts cannot run as shipped.
Operating Rules
- Resolve the target with
service + accountbefore any write, delete, or secret read. - Default to the current user's
loginkeychain. - Pass
--keychainonly when the target is not the default login keychain. - Keep caller attribution, approval prompts, and workflow policy in the caller. Do not model them inside this skill.
- Keep the script interface narrow. Do not pass legacy caller-attribution or purpose flags.
- Keep this skill thin. It should expose local Keychain operations, not orchestrate a larger secret-management workflow.
Safety Model
- Do not guess missing
serviceoraccountforset,update,read-secret,reveal-secret, ordelete. - Do not echo the incoming secret in
setorupdate. - Use
read-secretfor downstream machine use after the caller has already decided that retrieval is allowed. - Use
reveal-secretonly when the user explicitly wants plaintext in visible output. Require--confirmed. - Use
deleteonly with a clear target. Require--confirmed.
Scripts
All scripts accept --service and --account. Use --keychain only for a non-default keychain.
scripts/keychain-exists.sh: return whether an item exists.scripts/keychain-read-meta.sh: return safe metadata only.scripts/keychain-set.sh: create a new item and fail if it already exists.scripts/keychain-update.sh: update an existing item and fail if it does not exist.scripts/keychain-read-secret.sh: return a plaintext secret for downstream use. Use--value-onlyto emit only the secret.scripts/keychain-reveal-secret.sh: return a plaintext secret for visible output. Require--confirmed.scripts/keychain-delete.sh: delete an item. Require--confirmed.
Output
- Expect structured JSON on stdout for success and on stderr for failures, except
scripts/keychain-read-secret.sh --value-only. - Treat
read-secretoutput as sensitive even when the caller does not print it. - Keep normal user-facing status non-disclosing unless the requested action is
reveal-secret.
More from flc1125/skills
subagent-orchestrator
Orchestrate subagent workflows for complex tasks that benefit from decomposition, role-based delegation, and parallel execution. Use when Codex should assemble a temporary team of subagents, choose roles from a reusable role library, create a controlled fallback role when no preset role fits, coordinate read-heavy work in parallel, or handle write-heavy work with ownership boundaries, staged execution, and an integrator-led merge path.
31yuque
Work with Yuque OpenAPI for reading, searching, creating, and updating users, groups, repos, docs, TOC structures, versions, and statistics. Use when Codex needs to operate on Yuque knowledge bases or documents, reorganize document placement in a repo, inspect API capabilities, or prepare guarded plans for destructive Yuque actions.
30experts
Assemble a panel of experts to assess a problem from multiple professional perspectives, surface agreement and disagreement, and deliver a chaired recommendation with clear tradeoffs. Use when the user wants multi-expert judgment, a second opinion, design critique, option comparison, or a recommendation backed by distinct expert viewpoints.
24study
Guide structured learning for a topic by diagnosing current level, defining stage goals, building a learning path, generating practice, and running review loops. Use when the user wants to learn something step by step, start from zero, build a study plan, prepare for an exam or skill, get guided practice, or continue a topic through staged coaching rather than a one-off answer.
13github-create-pr
Create GitHub pull requests from a local branch using a reviewable workflow for branch checks, diff analysis, PR title/body writing, and gh CLI creation. Use when opening a PR, drafting or improving a PR description, preparing a branch for review, or adding reviewers on GitHub.
13async
Launch and coordinate Codex subagents as deferred tasks. Use when the user wants to start bounded subagent work now, keep the main thread moving without waiting by default, then later join, collect, or redirect that work through a stable task reference.
12