infisical

$npx mdskill add vm0-ai/vm0-skills/infisical

Retrieve and list secrets using Infisical Cloud API.

  • Fetches secret values by name from specific projects and environments.
  • Requires valid Bearer tokens generated from machine identity credentials.
  • Triggers on mentions of Infisical, secrets, or machine identity tokens.
  • Returns structured JSON containing secret keys, values, and environment details.

SKILL.md

.github/skills/infisicalView on GitHub ↗
---
name: infisical
description: Infisical Cloud Secrets Manager API for retrieving and listing secrets. Use when user mentions "Infisical", "infisical secrets", "machine identity token", or asks about secrets management with Infisical.
---

## Core APIs

### 1. Obtain an Access Token

All API calls require a Bearer token. Exchange your Machine Identity credentials for a temporary access token (default TTL: 2 hours):

Write to `/tmp/infisical_login.json`:

```json
{
  "clientId": "<client-id>",
  "clientSecret": "<client-secret>"
}
```

Replace `<client-id>` and `<client-secret>` with your actual `INFISICAL_CLIENT_ID` and `INFISICAL_CLIENT_SECRET` values.

Then run:

```bash
curl -s -X POST "https://app.infisical.com/api/v1/auth/universal-auth/login" --header "Content-Type: application/json" -d @/tmp/infisical_login.json | jq -r '.accessToken' > /tmp/infisical_token.txt
```

Verify the token was saved:

```bash
cat /tmp/infisical_token.txt | head -c 50
```

Use `$(cat /tmp/infisical_token.txt)` in subsequent requests.

### 2. Fetch a Single Secret by Name

Retrieve a secret by its key name from a specific Infisical project and environment.

```bash
curl -s -X GET "https://app.infisical.com/api/v3/secrets/raw/<SECRET_NAME>?workspaceId=<workspace-id>&environment=<env-slug>&secretPath=/" --header "Authorization: Bearer $(cat /tmp/infisical_token.txt)" | jq '{key: .secret.secretKey, value: .secret.secretValue, environment: .secret.environment}'
```

Replace `<SECRET_NAME>` with the exact secret key, `<workspace-id>` with your Infisical project ID (found in project settings), and `<env-slug>` with the environment slug (e.g., `dev`, `staging`, `prod`).

### 3. List All Secrets in a Project/Environment

```bash
curl -s -X GET "https://app.infisical.com/api/v3/secrets/raw?workspaceId=<workspace-id>&environment=<env-slug>&secretPath=/" --header "Authorization: Bearer $(cat /tmp/infisical_token.txt)" | jq '.secrets[] | {key: .secretKey, value: .secretValue, environment: .environment}'
```

Replace `<workspace-id>` and `<env-slug>` as above.

To include secrets from sub-folders recursively, append `&recursive=true` to the query string.

## Guidelines

1. **Token exchange:** POST `/api/v1/auth/universal-auth/login` with `clientId` and `clientSecret`. Default TTL is 2 hours; renew via `/api/v1/auth/universal-auth/renew` if needed.
2. **Workspace ID:** Found in your Infisical project settings page. This is different from the project name/slug.
3. **Environment slugs:** Common values are `dev`, `staging`, `prod` — use the exact slug shown in your Infisical dashboard.
4. **Secret references:** By default, `expandSecretReferences` is `false`. Set to `true` to resolve cross-secret references in values.
5. **Rate limits (Infisical Cloud):** Free plan allows 200 read requests/min; Pro plan allows 350/min. Self-hosted instances have no rate limits.
6. **Security:** The access token grants access to all secrets the machine identity is authorized for. Clean up `/tmp/infisical_token.txt` when done.

More from vm0-ai/vm0-skills

SkillDescription
account-reconciliationPerform account reconciliations comparing general ledger balances against subledgers, bank statements, or external records. Use for bank reconciliation, GL-to-subledger reconciliation, intercompany reconciliation, balance sheet reconciliation, reconciling item analysis, outstanding item aging, or clearing open items.
agentphoneBuild AI phone agents with AgentPhone API. Use when the user wants to make phone calls, send/receive SMS, manage phone numbers, create voice agents, set up webhooks, or check usage — anything related to telephony, phone numbers, or voice AI.
ahrefsAhrefs SEO API for backlink and keyword analysis. Use when user mentions
amplitudeAmplitude product analytics API. Use when user mentions "Amplitude",
analysis-qaQuality-check a data analysis before sharing — verify joins, aggregations, denominators, time ranges, and metric definitions. Detect pitfalls like survivorship bias, average-of-averages, join explosion, timezone mismatches, incomplete periods, and selection bias. Includes documentation templates for reproducible analyses.
anthropic-managed-agentsAnthropic Managed Agents API for programmatically creating, running, and streaming AI agents on Anthropic's cloud infrastructure. Use when the user mentions "Managed Agents", "Anthropic agent sessions", or needs to create/run/stream an Anthropic agent with tool use (bash, git, web), attach GitHub repositories, or inject secrets via Vault. Do NOT use for standard Claude Messages API — use the Claude API skill instead.
apifyApify web scraping platform. Use when user mentions "scrape website",
asanaAsana API for tasks and projects. Use when user mentions "Asana", "asana.com",
atlassianAtlassian API for Confluence and Jira. Use when user mentions "Confluence
attioAttio REST API for AI-native CRM operations — manage companies, people, deals, and custom objects, plus notes, tasks, lists, and comments. Use when the user mentions "Attio", "CRM record", "create company", "add person", "list entry", "CRM note", or "CRM task".