返回 Skill 列表
extension
分类: 开发与工程无需 API Key

keepass-hygiene

KeePass凭证卫生规则。在通过MCP工具与KeePass交互、处理密钥或执行凭据轮换时应用。在任何保险库操作中自动加载。

person作者: jakexiaohubgithub

KeePass Credential Hygiene

RULES: apply whenever interacting with KeePass via MCP tools.

  1. Never use an [INACTIVE] entry as a credential. If get_entry or get_attachment returns an EntryInactive error, stop and inform the user.
  2. When vault access is required for SSH or GPG key material, use get_attachment, not get_entry. Exception: check ssh-agent and ~/.ssh first per the SSH skill before accessing the vault at all.
  3. Never include returned secrets in conversation output, comments, code, logs, or any file other than the intended destination.
  4. On credential rotation: confirm create_entry succeeded before calling deactivate_entry. Never deactivate before confirming the new credential is stored.
  5. When generating new credentials, use cryptographically appropriate parameters: ed25519 for SSH keys, 32+ character random strings for passwords, correct key types per service.
  6. Search-first lookup: if get_entry or get_attachment fails to find an entry in the expected group, use search_entries with the entry name as the query. Entries may be in sub-groups or have moved.
  7. AI RESTRICTED tag: if a tool raises EntryRestricted, do not attempt to access the entry by any other means. Inform the user the entry is restricted and stop.
  8. READ ONLY tag: entries tagged READ ONLY can be read via get_entry and get_attachment but reject all writes (deactivate_entry, add_attachment). Do not attempt workarounds.