Skip to content

Fix Namecheap security findings#2243

Closed
aaronpowell wants to merge 1 commit into
mainfrom
aaronpowell-fix-namecheap-security-findings
Closed

Fix Namecheap security findings#2243
aaronpowell wants to merge 1 commit into
mainfrom
aaronpowell-fix-namecheap-security-findings

Conversation

@aaronpowell

Copy link
Copy Markdown
Contributor

Summary

  • stop writing the Namecheap API key to ~/.namecheap-api and require NAMECHEAP_API_KEY from the environment at runtime
  • replace setup/runtime exception output that could echo sensitive details with safe guidance and redaction
  • update the Namecheap skill documentation to match the new credential flow

Validation

  • npm run build
  • npm run plugin:validate
  • npm run skill:validate
  • bash eng/fix-line-endings.sh

Stop persisting Namecheap API keys in ~/.namecheap-api, require the key from environment variables for runtime use, and replace raw exception output in setup/runtime paths with safe guidance. Update the skill documentation to match the new setup flow.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 8, 2026 02:36
@github-actions github-actions Bot added the skills PR touches skills label Jul 8, 2026
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🔒 PR Risk Scan Results

Scanned 2 changed file(s).

Severity Count
🔴 High 0
🟠 Medium 0
ℹ️ Info 1
Severity Rule File Line Match
ℹ️ skill-script-touched skills/namecheap/namecheap.py 1 skills/namecheap/namecheap.py

This is an automated soft-gate report. Findings indicate review targets and do not block merge by themselves.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🔍 Vally Lint Results

✅ All checks passed

Scope Checked
Skills 1
Agents 0
Total 1
Severity Count
❌ Errors 0
⚠️ Warnings 0
ℹ️ Advisories 0

Summary

Level Finding
ℹ️ npm warn EBADENGINE Unsupported engine {
ℹ️ npm warn EBADENGINE package: 'commander@15.0.0',
ℹ️ npm warn EBADENGINE required: { node: '>=22.12.0' },
ℹ️ npm warn EBADENGINE current: { node: 'v20.20.2', npm: '10.8.2' }
ℹ️ npm warn EBADENGINE }
ℹ️ npm warn deprecated prebuild-install@7.1.3: No longer maintained. Please contact the author of the relevant native addon; alternatives are available.
ℹ️ ✅ namecheap (2/2 checks passed)
ℹ️ ✓ [spec-compliance] All 1 skill(s) are spec-compliant.
ℹ️ ✓ spec-compliance: All spec checks passed.
ℹ️ ✓ [valid-refs] All file references across 1 skill(s) are valid.
Full linter output
### Linting skills/namecheap
npm warn EBADENGINE Unsupported engine {
npm warn EBADENGINE   package: 'commander@15.0.0',
npm warn EBADENGINE   required: { node: '>=22.12.0' },
npm warn EBADENGINE   current: { node: 'v20.20.2', npm: '10.8.2' }
npm warn EBADENGINE }
npm warn deprecated prebuild-install@7.1.3: No longer maintained. Please contact the author of the relevant native addon; alternatives are available.
✅ namecheap (2/2 checks passed)
    ✓ [spec-compliance] All 1 skill(s) are spec-compliant.
        ✓ spec-compliance: All spec checks passed.
    ✓ [valid-refs] All file references across 1 skill(s) are valid.
        ✓ valid-refs: All file references resolve to existing files within the skill directory.

1 skill(s) linted, 1 passed

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the Namecheap skill’s credential handling by ensuring the API key is no longer written to disk, and by making runtime/setup error output safer (less likely to echo sensitive data), while updating the skill documentation to reflect the new credential flow.

Changes:

  • Stop persisting NAMECHEAP_API_KEY in ~/.namecheap-api; read it from NAMECHEAP_API_KEY at runtime and only prompt during setup for validation.
  • Add “safe” error/reporting helpers that redact likely secret patterns and replace raw exception dumps with guidance.
  • Update skills/namecheap/SKILL.md to document the new credential expectations.
Show a summary per file
File Description
skills/namecheap/SKILL.md Updates setup/credential documentation to match the new “API key via env var” model.
skills/namecheap/namecheap.py Refactors config handling to avoid writing API keys to disk and introduces safer error output/redaction.

Review details

  • Files reviewed: 2/2 changed files
  • Comments generated: 3
  • Review effort level: Low

Comment thread skills/namecheap/namecheap.py
Comment thread skills/namecheap/SKILL.md
Before executing any API commands, verify credentials are configured:

1. **Check for existing config** — look for `~/.namecheap-api`
1. **Check for existing config** — look for `~/.namecheap-api` and ensure `NAMECHEAP_API_KEY` is exported in the user's shell
Comment thread skills/namecheap/SKILL.md
## Behavior

- **Always check credentials first.** Before any API operation, verify `~/.namecheap-api` exists and is readable. If not, run the setup flow.
- **Always check credentials first.** Before any API operation, verify `~/.namecheap-api` exists and is readable, and that `NAMECHEAP_API_KEY` is set in the current shell. If not, run the setup flow and have the user export the API key.
@brunoborges brunoborges closed this Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

skills PR touches skills

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants