aws-secrets-manager
Installation
SKILL.md
Using Secrets Safely with Agents
Overview
When AI agents handle secrets, credentials, API keys, tokens, or passwords with
shell or AWS API access, they can call aws secretsmanager get-secret-value
and receive plaintext values in their context window. This creates risk:
secrets may leak into logs, conversation history, or downstream tool calls.
This skill teaches a safer pattern: dynamic references resolved at runtime
by a wrapper script (asm-exec), so the agent never sees the secret value.
Best-effort defense, not a security boundary. This prevents the most common leakage path but cannot stop all evasion vectors. Combine with IAM least-privilege, CloudTrail monitoring, and VPC endpoint policies.
Rules
You MUST follow these rules when working with secrets: