Learning Objectives
- Audit your toolkit for exposed credentials and personal data
- Apply least-privilege permissions to MCP server access
- Create a security manifest so installers understand what the toolkit touches
π― What You'll Learn: How to catch security issues before they become incidents, credentials, access scope, and what your toolkit touches
β±οΈ Time Required: 35 minutes
Riley's Near-Miss
Riley was doing a final read-through before sending the toolkit to David. She saw it: her actual Slack bot token, right there in a README example.
"Anyone who installed my toolkit would have had my company Slack credentials. I'd been so focused on making it work that I never looked at it through the lens of 'what if someone else reads this?' Security review isn't optional. It's the last line before distribution."
β Riley Harper
This lesson is a systematic pass through your toolkit to catch anything like this before it ships.
What You're Looking For
Three categories of risk:
1. Hardcoded secrets, API keys, tokens, webhook URLs embedded directly in files. If they end up in a shared folder, email, or GitHub repo, they're compromised.
2. Personal paths, /Users/Riley/ or C:\Users\Riley\ embedded in scripts, configs, or templates. These break on any machine that isn't yours and leak information about your system layout.
3. Over-permissioned access, MCP servers configured with access to your entire home directory instead of only the folders the toolkit needs.
Exercise: Security Audit (35 min)
Step 1: Scan for Secrets (10 min)
Run these commands from inside your toolkit folder:
# Slack tokens
grep -r "xoxb-" .
grep -r "hooks.slack.com" .
# Generic API key patterns
grep -r -i "api_key\|apikey\|api-key" .
grep -r -i "secret\|password\|token" .
# AWS, OpenAI, Anthropic
grep -r "sk-" .
grep -r "AKIA" .
# Personal paths
grep -r "/Users/" .
grep -r "C:\\\\Users" .
# Real email addresses
grep -r -E "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}" . --include="*.md"
Any result that isn't a placeholder or documentation about credentials is a problem.
The fix is always one of two things:
Replace real values with environment variable references in code:
{ "slack_token": "${SLACK_BOT_TOKEN}" }
Replace real values with clearly fake placeholders in documentation:
export SLACK_BOT_TOKEN="xoxb-YOUR-TOKEN-HERE"
Riley's audit findings:
| Location | Issue | Fix |
|---|---|---|
README.md line 45 | Real Slack token xoxb-123-456 in example | Replaced with xoxb-YOUR-TOKEN-HERE |
hooks/settings-snippet.json | Hardcoded Team ID | Replaced with ${SLACK_TEAM_ID} |
templates/CLAUDE.md.template | /Users/Riley/margin-data path | Replaced with [YOUR_DATA_FOLDER] |
Step 2: Fix MCP Permissions (10 min)
If your toolkit includes an MCP server config (in hooks/settings-snippet.json or a config template), check the filesystem scope.
Too broad, exposes everything:
{
"filesystem": {
"args": ["-y", "@modelcontextprotocol/server-filesystem", "~"]
}
}
Correct, scoped to what the toolkit actually needs:
{
"filesystem": {
"args": [
"-y",
"@modelcontextprotocol/server-filesystem",
"${PRIME_BROKER_EXPORT_DIR}",
"${REPORTS_DIR}"
]
}
}
The principle: request access to the minimum number of paths the toolkit needs to function. The installer should set those paths explicitly, never grant access to ~ or /.
For API permissions (Slack, etc.), document exactly which scopes you need and why you need each one:
## Required Slack Scopes
- `chat:write` β to post the report to a channel
- `channels:read` β to verify the channel exists before posting
We don't need admin, user data, or file management permissions.
Step 3: Create a SECURITY.md (10 min)
Add a SECURITY.md to your toolkit root that documents what the toolkit touches. This helps installers make informed decisions, and it signals you've thought about it.
Template:
# Security Information
## What This Toolkit Accesses
### File System
- Read: `PRIME_BROKER_EXPORT_DIR` (Prime Broker portal CSV exports)
- Write: `REPORTS_DIR` (generated report files)
We do NOT access your home directory root, system folders, or any other application data.
### External APIs
- **Slack** β posts to one configured channel (`chat:write` scope only)
We do NOT store data externally, send data to third parties, or require admin privileges on any system.
## Credential Handling
| Credential | Where it's stored |
|------------|------------------|
| `SLACK_BOT_TOKEN` | Environment variable only β never in any file |
| `SLACK_TEAM_ID` | Environment variable only |
## Reporting Issues
If you find a security problem: [your contact method]
Step 4: Final Check Before Sharing (5 min)
Run one final scan, then sign off:
# Should return nothing if your toolkit is clean
grep -r -E "(xoxb|sk-|AKIA|hooks\.slack\.com)" .
grep -r "/Users/[A-Za-z]" .
grep -r "C:\\\\Users\\\\[A-Za-z]" .
Checklist:
| File | Reviewed |
|---|---|
README.md | |
All skills/*.md | |
All agents/*.md | |
hooks/settings-snippet.json | |
All templates/* | |
SECURITY.md (new) |
If everything is clean, the toolkit is ready to share.
The Cost of Getting This Wrong
| Risk | Impact |
|---|---|
| Exposed Slack token | Anyone who receives the file can post to your Slack as your bot |
| Hardcoded path | Toolkit fails silently on every machine that isn't yours |
MCP access to ~ | Claude has read/write access to your entire home directory during every session that uses the toolkit |
"The security review took 45 minutes. Finding an exposed token in a shared internal repo would have taken months to sort out. 45 minutes for peace of mind is one of the best trades I've made."
β Riley Harper
β Success Criteria:
SECURITY.md documents what the toolkit touches.gitignore includes .env, *.credentials, and secrets.jsonNext Up
You've built, documented, and reviewed a shareable toolkit. Your automation is ready for the rest of the course, and for the rest of your team.