The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The command-line interface allows users to provide the master password via the '-p' or '--password' arguments. This practice is insecure as command-line arguments are stored in plaintext in shell history files, making the password accessible to anyone with access to the user's home directory.
[CREDENTIALS_UNSAFE]: There is a discrepancy between the security claims in the documentation and the actual implementation. SKILL.md states that the system uses AES-256-GCM, but the code in key_manager.py uses the cryptography.fernet library, which utilizes AES-128 in CBC mode. This misleading information could lead to an incorrect assessment of the skill's security properties.
[CREDENTIALS_UNSAFE]: The 'get' command outputs retrieved secrets directly to the standard output. This behavior can lead to sensitive keys being captured in log files, terminal history, or being visible in the AI agent's conversation history, increasing the surface area for accidental data exposure.

secure-key-manager