Add get-api-key skill — generic SaaS API-key extraction

[shubh24]

Summary

• Adds a new get-api-key skill that drives any authenticated SaaS dashboard via the browse CLI to create or reveal an API key
• Phase 0 reads the vendor's own docs (canonical URL guess first, Google fallback) to learn the flow before navigating — avoids hardcoded site-specific selectors
• Documents both local (auto-connect Chrome) and remote (Browserbase cloud + cookie-sync persistent context) auth paths, including the 5-minute idle-session caveat and Chrome 136+ debug-port mitigation

What's inside

• skills/get-api-key/SKILL.md — the skill prompt, structured as Phase 0 (docs) → Phase 1 (verify auth) → Phase 2 (find keys page) → Phase 3 (reveal/create) → Phase 4 (capture) → Phase 5 (return JSON)
• skills/get-api-key/LICENSE.txt — MIT, matching repo convention

How it's generic

• No hardcoded site URLs, selectors, or button labels in the skill body
• Cross-SaaS UX patterns are documented as principles (custom comboboxes vs native selects, varied confirm labels, secret-in-snapshot extraction) rather than per-site recipes
• Phase 0 doc-reading replaces the need for site-specific knowledge in the skill itself

Validation

Built via autobrowse iteration across five sites:

• Browserbase (reveal flow, bb_live_)
• OpenAI (create flow, sk-proj-)
• Anthropic Console (create flow, sk-ant-api03-)
• Vercel (create flow with combobox scope picker, vcp_)
• GitHub fine-grained PAT (Phase 0 doc-reading validated — agent went straight to canonical docs URL, extracted steps, navigated to /settings/personal-access-tokens/new and filled the form correctly in 13 turns)

Test plan

• Pick a SaaS the agent has never seen (e.g. Resend, Linear, Stripe test mode) and run the skill end-to-end
• Verify Phase 0 fires (doc_url_used populated in the returned JSON)
• Verify the agent falls back gracefully when docs are unavailable (Google blocked, vendor has no public docs, etc.)
• Confirm the remote-mode flow recovers from a mid-task BB session expiry by reusing the persistent context

🤖 Generated with Claude Code

---

Note

Low Risk
Low risk: adds new documentation-only skill files with no runtime code changes; primary risk is users following the workflow to generate/expose real API secrets.

Overview
Adds a new get-api-key skill (skills/get-api-key/SKILL.md) that outlines a generic browse-CLI workflow to locate a SaaS API-keys page (optionally by first reading vendor docs), create/reveal a key, and return a standardized JSON payload including the secret.

Includes setup guidance for local Chrome vs Browserbase remote sessions (with cookie syncing and session-expiry caveats), plus a new MIT LICENSE.txt for the skill.

^{Reviewed by Cursor Bugbot for commit 655b4a5. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 655b4a5. Configure here.}

[cursor]

Phase 0 navigates away, Phase 1 auth check fails

Medium Severity

Phase 0 navigates the browser to external docs/Google pages, then Phase 1 immediately runs browse get url and checks whether the URL belongs to the dashboard host. After Phase 0, the URL will be a docs page, so Phase 1's check ("URL contains the dashboard host") will fail and the agent will incorrectly return "not authenticated". There's no instruction between phases to navigate back to the target dashboard before the auth verification.

Additional Locations (1)

• skills/get-api-key/SKILL.md#L95-L116

 

^{Reviewed by Cursor Bugbot for commit 655b4a5. Configure here.}