# Security > Markdown variant of . How SkillzDrive protects your credentials and data. ## Credential encryption Some skills require third-party API keys (e.g. `GEMINI_API_KEY`, `OPENAI_API_KEY`). Users store their own keys — the platform never provides keys on their behalf. All credentials are encrypted with: - **AES-256-GCM encryption at rest** — each credential has a unique initialization vector (IV). - **Encryption key stored only in server environment variables** — never in the database or client code. - **Masked values for display** (e.g. `AIz...xyz1`) — full values are never returned from any API endpoint. ## How credentials reach scripts 1. User stores their API key via the Account page (`/dashboard/account`). 2. When a script with `requiredEnvVars` is executed, the MCP server fetches and decrypts only the needed credentials. 3. Decrypted values are injected as environment variables into the isolated sandbox. 4. The sandbox is destroyed after execution — credentials are never persisted. Credentials only exist in decrypted form for the duration of script execution. They are never written to disk in the sandbox. ## What we never do - Never log decrypted credential values. - Never return full keys from any API response. - Never store keys in plaintext. - Never transmit keys to the client side. - Never share credentials between users or sessions. ## Skill security scanning Every skill imported into SkillzDrive — whether from the marketplace, GitHub, or a direct upload — goes through an automated security scan. Each skill receives a safety grade from **A** to **F** so you can make an informed decision about what enters your drive. ### What we scan for - **Vulnerability detection** — dependencies are checked against known CVE databases via Snyk integration. - **Code analysis** — static analysis identifies injection vulnerabilities, unsafe patterns, and security flaws in source code. - **Skill-specific audit** — a proprietary scanner evaluates skill instructions and scripts for prompt injection, data exfiltration, and other agent-specific risks. - **AI expert review** — when issues are found, Claude Opus evaluates the skill's intent and legitimacy and provides a clear safe/caution/unsafe recommendation. ### Safety grades Scan results are distilled into a letter grade that appears on skill cards, in your drive, and in MCP tool responses: | Grade | Risk level | What it means | |-------|------------|---------------| | A | No known risks | Clean across all checks | | B | Low risk | Minor issues, generally safe | | C | Medium risk | Review before using in production | | D | High risk | Significant issues — use with caution | | F | Critical risk | Serious vulnerabilities or unsafe behavior detected | Scan results are cached and automatically refreshed when a skill's source code changes. You never need to request a scan manually. ## Script isolation Scripts run in isolated sandboxes: - **Separate Linux container** per execution. - **No network access** between sandboxes. - **No persistent storage** — sandbox destroyed after use. - **Timeout enforcement** — scripts killed after configured limit. ## API key security | Feature | Description | |---------|-------------| | Key format | `sk_live_` prefix for easy identification | | Expiration | Optional `expires_at` date | | Rate limiting | Per-minute request limits | | Skill restrictions | Optional `allowed_skill_ids` whitelist | | Monthly quotas | Execution count limits | ## User responsibilities Security is a shared responsibility: - Keep API keys rotated according to each provider's recommendations. - Use least-privilege keys (e.g. read-only if the skill only reads). - Revoke leaked keys immediately and update them in Account settings. - Monitor your usage via the dashboard for unexpected activity. ## Reporting security issues If you discover a security vulnerability, contact us at the link in the dashboard. Do not file a public issue. ## Next steps - [Authentication](https://www.skillzdrive.com/docs/guides/authentication.md): API keys, OAuth 2.0, securing your integration. - [Custom agent integration](https://www.skillzdrive.com/docs/agent-integration.md). - [Quickstart](https://www.skillzdrive.com/docs/quickstart.md).