claude-secrets

MCP Tool

BellaBe/claude-secrets

GPG-encrypted credential manager for Claude Code MCP channels. Keeps API tokens out of .env files that Claude can read.

Install

$ npx loaditout add BellaBe/claude-secrets

Platform-specific configuration:

.claude/settings.json

{
  "mcpServers": {
    "claude-secrets": {
      "command": "npx",
      "args": [
        "-y",
        "claude-secrets"
      ]
    }
  }
}

Add the config above to .claude/settings.json under the mcpServers key.

About

Claude Channel Secrets

GPG-encrypted credential storage for Claude Code MCP channels. Keeps tokens out of flat files where Claude's tools can read them.

Why

MCP channel servers need API tokens. Storing them in .env files under ~/.claude/channels/ means Claude Code can read them via file tools. This moves credentials into pass (GPG-encrypted ~/.password-store/), which Claude cannot access.

Install

# Prerequisites (one-time)
sudo apt install pass gnupg
gpg --gen-key
pass init <gpg-key-id>          # gpg --list-keys to find it

# Place the directory
cp -r claude-secrets ~/claude-secrets
chmod +x ~/claude-secrets/secret.sh

# Optional alias
echo 'alias claude-secret="~/claude-secrets/secret.sh"' >> ~/.bashrc
source ~/.bashrc

Usage

secret.sh set <channel> <key> <value>
secret.sh get <channel> <key>
secret.sh list [channel]
secret.sh rm  <channel> <key>
secret.sh migrate <channel> <ENV_KEY> <pass_key>

Store

Always quote values — tokens contain colons and special characters that the shell will split or truncate without quotes:

cd ~/claude-secrets

# ✓ Correct — quoted
./secret.sh set telegram bot-token "123456789:AAHfiqksKZ8..."
./secret.sh set telegram admin-id "987654321"

# ✗ Wrong — token gets truncated at the colon
./secret.sh set telegram bot-token 123456789:AAHfiqksKZ8...

More examples:

./secret.sh set slack bot-token "xoxb-..."
./secret.sh set slack signing-secret "abc123..."
./secret.sh set discord bot-token "MTk..."

Verify after storing

Always verify the token works after storing:

# Telegram
curl "https://api.telegram.org/bot$(pass show claude-telegram/bot-token)/getMe"

# Discord
curl -H "Authorization: Bot $(pass show claude-discord/bot-token)" https://discord.com/api/v10/users/@me

If you get a 404 or 401, the token is wrong — re-store it with quotes.

Retrieve

./secret.sh get telegram bot-token

List

./secret.sh list

Reviews

Loading reviews...

Quality Signals

Installs

Last updated28 days ago

Security: AREADME

Safety

Risk Levelmedium

Data Access

read

Network Accessnone

Details

Sourcegithub-crawl

Last commit3/24/2026

View on GitHub→

Embed Badge

[![Loaditout](https://loaditout.ai/api/badge/BellaBe/claude-secrets)](https://loaditout.ai/skills/BellaBe/claude-secrets)

claude-secrets

MCP Tool

BellaBe/claude-secrets

GPG-encrypted credential manager for Claude Code MCP channels. Keeps API tokens out of .env files that Claude can read.

Install

$ npx loaditout add BellaBe/claude-secrets

Platform-specific configuration:

.claude/settings.json

{
  "mcpServers": {
    "claude-secrets": {
      "command": "npx",
      "args": [
        "-y",
        "claude-secrets"
      ]
    }
  }
}

Add the config above to .claude/settings.json under the mcpServers key.

About

Claude Channel Secrets

GPG-encrypted credential storage for Claude Code MCP channels. Keeps tokens out of flat files where Claude's tools can read them.

Why

Install

# Prerequisites (one-time)
sudo apt install pass gnupg
gpg --gen-key
pass init <gpg-key-id>          # gpg --list-keys to find it

# Place the directory
cp -r claude-secrets ~/claude-secrets
chmod +x ~/claude-secrets/secret.sh

# Optional alias
echo 'alias claude-secret="~/claude-secrets/secret.sh"' >> ~/.bashrc
source ~/.bashrc

Usage

secret.sh set <channel> <key> <value>
secret.sh get <channel> <key>
secret.sh list [channel]
secret.sh rm  <channel> <key>
secret.sh migrate <channel> <ENV_KEY> <pass_key>

Store

Always quote values — tokens contain colons and special characters that the shell will split or truncate without quotes:

cd ~/claude-secrets

# ✓ Correct — quoted
./secret.sh set telegram bot-token "123456789:AAHfiqksKZ8..."
./secret.sh set telegram admin-id "987654321"

# ✗ Wrong — token gets truncated at the colon
./secret.sh set telegram bot-token 123456789:AAHfiqksKZ8...

More examples:

./secret.sh set slack bot-token "xoxb-..."
./secret.sh set slack signing-secret "abc123..."
./secret.sh set discord bot-token "MTk..."

Verify after storing

Always verify the token works after storing:

# Telegram
curl "https://api.telegram.org/bot$(pass show claude-telegram/bot-token)/getMe"

# Discord
curl -H "Authorization: Bot $(pass show claude-discord/bot-token)" https://discord.com/api/v10/users/@me

If you get a 404 or 401, the token is wrong — re-store it with quotes.

Retrieve

./secret.sh get telegram bot-token

List

./secret.sh list

Reviews

Loading reviews...

Quality Signals

Installs

Last updated28 days ago

Security: AREADME

Safety

Risk Levelmedium

Data Access

read

Network Accessnone

Details

Sourcegithub-crawl

Last commit3/24/2026

View on GitHub→

Embed Badge

[![Loaditout](https://loaditout.ai/api/badge/BellaBe/claude-secrets)](https://loaditout.ai/skills/BellaBe/claude-secrets)

claude-secrets

Install

About

Tags

Reviews

Quality Signals

Safety

Details

Embed Badge

claude-secrets

Install

About

Tags

Reviews

Quality Signals

Safety

Details

Embed Badge