feat: Add public AI skills for env security best practices and Shelve setup #701
Description
Context
Shelve should ship public AI skills (skills/ directory at the repo root) that any developer can use in their projects. These skills would provide actionable guidance on environment variable security, secrets management best practices, and proper Shelve setup — leveraging the domain expertise embedded in the platform itself.
These skills would be usable by AI agents (Cursor, Codex, etc.) to review code and enforce good practices around secrets management in any project.
Proposed skills
1. skills/env-security/SKILL.md — Environment Variable Security Review
A review skill that audits a project for common env var security issues:
What it checks:
- Secrets committed to git (
.envfiles not in.gitignore) - Hardcoded secrets in source code (API keys, tokens, passwords in plain text)
- Sensitive values in client-side / public code (e.g.
NUXT_PUBLIC_,NEXT_PUBLIC_,VITE_prefixes misused for secrets) - Missing encryption at rest for stored secrets
- Weak or missing access control on secret endpoints
- Overly broad token scopes
- Missing token expiration / rotation policies
- Secrets in logs, error messages, or stack traces
- Insecure secret sharing (Slack, email, plain text files)
Best practices it enforces:
- Use a secrets manager (like Shelve) instead of
.envfiles in production - Encrypt secrets at rest (AES-256 minimum)
- Separate environments (dev/staging/prod) with different secret values
- Rotate secrets regularly
- Use framework-specific prefixes correctly (
NUXT_PRIVATE_vsNUXT_PUBLIC_) - Never store secrets in frontend bundles
- Use short-lived tokens where possible
- Audit secret access
2. skills/shelve-setup/SKILL.md — Shelve Project Setup Guide
A skill for setting up Shelve correctly in a new or existing project:
What it covers:
- Installing and configuring the CLI (
@shelve/cli) - Creating
shelve.jsonwith proper defaults - Setting up team and project structure
- Configuring environments (development, staging, production)
- Push/pull workflow for syncing env vars
- GitHub Actions integration for CI/CD secrets
- Self-hosting configuration (encryption key generation, session security, allowed origins)
- Variable naming conventions (auto-uppercase, prefixes)
.gitignorepatterns for env files- Monorepo support with multiple
shelve.jsonfiles
3. skills/secrets-sharing/SKILL.md — Secure Secret Sharing Practices
A skill focused on how to safely share secrets within a team:
What it covers:
- Never share secrets via Slack, email, or plain text
- Use Shelve Vault for one-time secret sharing (TTL + read limits + password protection)
- Team invitation and RBAC setup (OWNER > ADMIN > MEMBER)
- Token management (generation, scoping, revocation)
- Onboarding new team members securely
- Offboarding: revoking access and rotating compromised secrets
Directory structure
skills/
├── env-security/
│ └── SKILL.md # Security review skill
├── shelve-setup/
│ └── SKILL.md # Setup guide skill
└── secrets-sharing/
└── SKILL.md # Secure sharing skill
Skill format
Each skill should follow the standard SKILL.md format:
- Trigger description at the top (when should the agent use this skill)
- Actionable instructions (not theory — concrete steps and checks)
- Code examples from real Shelve patterns
- Checklists for review skills
- Progressive disclosure (summary → details)
Why public skills
- Developers using Shelve get proactive security guidance in their IDE
- Skills act as living documentation that AI agents can apply automatically
- Positions Shelve as a thought leader on env var security
- Skills are portable — usable in any project, not just Shelve users
- Community can contribute and improve them