Fix Namecheap security findings#2243
Closed
aaronpowell wants to merge 1 commit into
Closed
Conversation
Stop persisting Namecheap API keys in ~/.namecheap-api, require the key from environment variables for runtime use, and replace raw exception output in setup/runtime paths with safe guidance. Update the skill documentation to match the new setup flow. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Contributor
🔒 PR Risk Scan ResultsScanned 2 changed file(s).
|
Contributor
🔍 Vally Lint Results✅ All checks passed
Summary
Full linter output |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the Namecheap skill’s credential handling by ensuring the API key is no longer written to disk, and by making runtime/setup error output safer (less likely to echo sensitive data), while updating the skill documentation to reflect the new credential flow.
Changes:
- Stop persisting
NAMECHEAP_API_KEYin~/.namecheap-api; read it fromNAMECHEAP_API_KEYat runtime and only prompt during setup for validation. - Add “safe” error/reporting helpers that redact likely secret patterns and replace raw exception dumps with guidance.
- Update
skills/namecheap/SKILL.mdto document the new credential expectations.
Show a summary per file
| File | Description |
|---|---|
| skills/namecheap/SKILL.md | Updates setup/credential documentation to match the new “API key via env var” model. |
| skills/namecheap/namecheap.py | Refactors config handling to avoid writing API keys to disk and introduces safer error output/redaction. |
Review details
- Files reviewed: 2/2 changed files
- Comments generated: 3
- Review effort level: Low
| Before executing any API commands, verify credentials are configured: | ||
|
|
||
| 1. **Check for existing config** — look for `~/.namecheap-api` | ||
| 1. **Check for existing config** — look for `~/.namecheap-api` and ensure `NAMECHEAP_API_KEY` is exported in the user's shell |
| ## Behavior | ||
|
|
||
| - **Always check credentials first.** Before any API operation, verify `~/.namecheap-api` exists and is readable. If not, run the setup flow. | ||
| - **Always check credentials first.** Before any API operation, verify `~/.namecheap-api` exists and is readable, and that `NAMECHEAP_API_KEY` is set in the current shell. If not, run the setup flow and have the user export the API key. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
~/.namecheap-apiand requireNAMECHEAP_API_KEYfrom the environment at runtimeValidation