Credential-Scanner-Safe Skill Authoring The repo runs a behavioral-pattern scanner on every commit that touches . The scanner is correctly tuned to block patterns that look like credential access — env-file paths under user home directories, HTTP calls that interpolate secret-named variables, dump-all-env constructs, and destructive root operations. The signal is sound, but legitimate ops-doc skills (Hermes bot install, systemd unit hardening, secret rotation runbooks) naturally describe these patterns. This skill is the convention set for documenting that work without the false-positive bloc…