instantly-security-basics

Instantly Security Basics

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "instantly-security-basics" with this command: npx skills add jeremylongshore/claude-code-plugins-plus-skills/jeremylongshore-claude-code-plugins-plus-skills-instantly-security-basics

Instantly Security Basics

Overview

Security best practices for Instantly API keys, tokens, and access control.

Prerequisites

  • Instantly SDK installed

  • Understanding of environment variables

  • Access to Instantly dashboard

Instructions

Step 1: Configure Environment Variables

.env (NEVER commit to git)

INSTANTLY_API_KEY=sk_live_*** INSTANTLY_SECRET=***

.gitignore

.env .env.local .env.*.local

Step 2: Implement Secret Rotation

set -euo pipefail

1. Generate new key in Instantly dashboard

2. Update environment variable

export INSTANTLY_API_KEY="new_key_here"

3. Verify new key works

curl -H "Authorization: Bearer ${INSTANTLY_API_KEY}"
https://api.instantly.com/health

4. Revoke old key in dashboard

Step 3: Apply Least Privilege

Environment Recommended Scopes

Development read:*

Staging read:*, write:limited

Production Only required scopes

Output

  • Secure API key storage

  • Environment-specific access controls

  • Audit logging enabled

Error Handling

Security Issue Detection Mitigation

Exposed API key Git scanning Rotate immediately

Excessive scopes Audit logs Reduce permissions

Missing rotation Key age check Schedule rotation

Examples

Service Account Pattern

const clients = { reader: new InstantlyClient({ apiKey: process.env.INSTANTLY_READ_KEY, }), writer: new InstantlyClient({ apiKey: process.env.INSTANTLY_WRITE_KEY, }), };

Webhook Signature Verification

import crypto from 'crypto';

function verifyWebhookSignature( payload: string, signature: string, secret: string ): boolean { const expected = crypto.createHmac('sha256', secret).update(payload).digest('hex'); return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected)); }

Security Checklist

  • API keys in environment variables

  • .env files in .gitignore

  • Different keys for dev/staging/prod

  • Minimal scopes per environment

  • Webhook signatures validated

  • Audit logging enabled

Audit Logging

interface AuditEntry { timestamp: Date; action: string; userId: string; resource: string; result: 'success' | 'failure'; metadata?: Record<string, any>; }

async function auditLog(entry: Omit<AuditEntry, 'timestamp'>): Promise<void> { const log: AuditEntry = { ...entry, timestamp: new Date() };

// Log to Instantly analytics await instantlyClient.track('audit', log);

// Also log locally for compliance console.log('[AUDIT]', JSON.stringify(log)); }

// Usage await auditLog({ action: 'instantly.api.call', userId: currentUser.id, resource: '/v1/resource', result: 'success', });

Resources

  • Instantly Security Guide

  • Instantly API Scopes

Next Steps

For production deployment, see instantly-prod-checklist .

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

xss-vulnerability-scanner

No summary provided by upstream source.

Repository SourceNeeds Review
45-jeremylongshore
Security

cookie-security-analyzer

No summary provided by upstream source.

Repository SourceNeeds Review
42-jeremylongshore
Security

session-security-checker

No summary provided by upstream source.

Repository SourceNeeds Review
42-jeremylongshore
Security

hipaa-audit-helper

No summary provided by upstream source.

Repository SourceNeeds Review
39-jeremylongshore