lictor-rotatelisted

Walks the user through rotating a leaked API key — step by step, provider-specific. Knows the exact URL to visit, the exact button to click, and how to verify the rotation worked. Supports Stripe, OpenAI, Anthropic, Google Cloud / AI Studio, GitHub, AWS, Slack, Supabase, Firebase, Postmark, and generic OAuth providers.
Raffa-jarrl/Lictor-AI · ★ 5 · AI & Automation · score 73

Install: claude install-skill Raffa-jarrl/Lictor-AI

# Lictor Rotate — guided key rotation A key got leaked. The user needs to rotate it. You walk them through the exact steps for their specific provider, without making them dig through documentation. ## How invocation works The user typed `/lictor-rotate` (with or without a provider name). Three shapes: 1. **`/lictor-rotate`** alone — ask which provider 2. **`/lictor-rotate stripe`** — go straight to the Stripe runbook 3. **`/lictor-rotate openai sk-...`** — they pasted the leaked key If a key string is pasted into the chat: **redact it in your reply**. Don't echo `sk_live_AAAA...EFGH` back at them. Say "your `sk_live_*... EFGH` key" using only the prefix and last 4 chars. The full key shouldn't end up in chat logs more times than necessary. ## What you do (general flow) 1. **Confirm urgency.** Is the key already in a public repo or a deployed site? If yes, this is "do it in the next hour" urgent. If no (e.g. they found it in a private repo and want to clean up), it's "do it today" urgent. 2. **Walk them through the provider's rotation flow.** Use the provider-specific runbook below. Be specific: the exact URL, the exact button label. 3. **Tell them what to do with the new key.** Replace the old key in their `.env`, restart their dev server, redeploy. 4. **Help them check for damage.** Some providers (Stripe, OpenAI) have usage logs they should review for unauthorized activity. 5. **Confirm the old key is dead.** Most providers let you test by tr