tahr-audit-secrets-config

Installation
SKILL.md

Tahr Audit Secrets and Config

Find configuration and supply-chain weaknesses that become real attacker capabilities. Do not turn a keyword, permissive development setting, or package advisory into a vulnerability without proving production relevance and reachability.

Establish scope and safety

Inspect source, committed configuration, lockfiles, build files, IaC, containers, CI/CD, and documentation read-only by default. Inspect git history only when the user includes it. Do not search unrelated home directories, credential stores, or .git working metadata.

Never validate a discovered credential against a live provider unless the user explicitly authorizes that exact action and the account is disposable. Never print, copy, commit, or persist a raw secret. Record type, file and line, source, scope, length, a short redacted preview, and a SHA-256 fingerprint.

Read references/config-audit-matrix.md for the audit families. Read references/exploitability-research.md before using advisory or CVE information.

Inventory every configuration plane

Enumerate:

Installs
3
First Seen
1 day ago
tahr-audit-secrets-config — tahr-security/tahr-security-skills