lindy-security-basics
Implement security best practices for Lindy AI integrations. Use when securing API keys, configuring permissions, or implementing security controls. Trigger with phrases like "lindy security", "secure lindy", "lindy API key security", "lindy permissions".
Install
mkdir -p .claude/skills/lindy-security-basics && curl -L -o skill.zip "https://mcp.directory/api/skills/download/4105" && unzip -o skill.zip -d .claude/skills/lindy-security-basics && rm skill.zipInstalls to .claude/skills/lindy-security-basics
About this skill
Lindy Security Basics
Overview
Security practices for Lindy AI agents. Agents are autonomous — they connect to external services, execute actions, and handle data. Security focuses on: API key management, webhook authentication, agent permission scoping, integration account isolation, and connection sharing controls.
Prerequisites
- Lindy account with API access
- Understanding of which integrations your agents use
- For Enterprise: SSO/SCIM configuration access
Instructions
Step 1: API Key Management
# Store API key in environment variable — never in source code
export LINDY_API_KEY="lnd_live_xxxxxxxxxxxxxxxxxxxx"
# Or use a secret manager
# AWS Secrets Manager
aws secretsmanager create-secret \
--name lindy/api-key \
--secret-string "$LINDY_API_KEY"
# Google Secret Manager
echo -n "$LINDY_API_KEY" | gcloud secrets create lindy-api-key \
--data-file=-
Key rotation schedule:
| Environment | Rotation Period | Method |
|---|---|---|
| Development | 30 days | Manual regeneration |
| Staging | 90 days | Automated via CI |
| Production | 90 days | Secret manager + automated rotation |
| Post-incident | Immediately | Manual regeneration + revoke old key |
Step 2: Webhook Authentication
Every webhook trigger generates a unique secret key. Verify it on every inbound request:
// Webhook signature verification middleware
function verifyLindyWebhook(
req: express.Request,
res: express.Response,
next: express.NextFunction
) {
const authHeader = req.headers.authorization;
const expectedToken = process.env.LINDY_WEBHOOK_SECRET;
if (!authHeader || authHeader !== `Bearer ${expectedToken}`) {
console.warn('Rejected unauthorized webhook attempt', {
ip: req.ip,
path: req.path,
timestamp: new Date().toISOString(),
});
return res.status(401).json({ error: 'Unauthorized' });
}
next();
}
app.post('/lindy/callback', verifyLindyWebhook, (req, res) => {
// Process verified webhook
handleWebhook(req.body);
res.json({ received: true });
});
Step 3: Agent Permission Scoping
Lindy agents access external services through authorized connections. Minimize blast radius:
Per-agent integration isolation:
- Authorize a dedicated Gmail account per agent (not your personal inbox)
- Create Slack bot tokens scoped to specific channels
- Use read-only database credentials where possible
- Create separate API keys for each integration
Connection sharing controls:
| Sharing Level | When to Use |
|---|---|
| Private (default) | Personal agents, sensitive data |
| Team shared | Team-wide automation agents |
| Workspace shared | Organization-wide utility agents |
Step 4: Limit Agent Skill Surface Area
Agents with Agent Steps can choose which skills to use. Reduce risk:
- Start with 2-4 focused skills per agent (not the full catalog)
- Avoid giving agents both read AND write access to the same service unless necessary
- Separate "read" agents from "write" agents for critical systems
- Use conditions to gate destructive actions behind human approval
Step 5: Data Handling in Agents
Agent Prompt Security Patterns:
## Data Constraints
- Never include API keys, passwords, or tokens in responses
- Redact email addresses and phone numbers from summaries
- Do not forward customer data to channels outside #support
- If asked to perform an action outside your scope, respond:
"I cannot perform that action. Please contact an admin."
Step 6: Audit Agent Activity
- Task history: Review agent Tasks tab for unexpected actions
- Integration access: Periodically review which services each agent can access
- Credit anomalies: Sudden credit spikes may indicate misuse or misconfiguration
- Connection review: Remove unused integrations from agents
Step 7: Enterprise Security Features
Available on Enterprise plan:
| Feature | Purpose |
|---|---|
| SSO | SAML-based single sign-on |
| SCIM | Automated user provisioning/deprovisioning |
| Audit Logs | Complete activity trail |
| Role-Based Access | Owner/Editor/Viewer workspace roles |
| BAA | HIPAA Business Associate Agreement |
| AES-256 | Encryption at rest and in transit |
Security Checklist
- API keys stored in environment variables or secret manager
-
.envfile in.gitignore - Webhook secrets generated and verified on every request
- Each agent uses minimum necessary integrations
- Separate integration credentials per agent where possible
- Agent prompts include data handling constraints
- Regular review of agent task history for anomalies
- Key rotation schedule defined and followed
- Enterprise: SSO enabled, SCIM configured
Error Handling
| Issue | Cause | Solution |
|---|---|---|
| Agent accesses wrong service | Over-permissioned | Remove unnecessary integrations |
| Unauthorized webhook processed | No auth verification | Add Bearer token verification |
| API key leaked in logs | Key in agent output | Add "never output credentials" to prompt |
| Agent sends data to wrong channel | Shared connection | Use per-agent dedicated connections |
Resources
Next Steps
Proceed to lindy-prod-checklist for production readiness.
More by jeremylongshore
View all skills by jeremylongshore →You might also like
flutter-development
aj-geddes
Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.
ui-ux-pro-max
nextlevelbuilder
"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."
drawio-diagrams-enhanced
jgtolentino
Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.
godot
bfollington
This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.
nano-banana-pro
garg-aayush
Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.
pdf-to-markdown
aliceisjustplaying
Convert entire PDF documents to clean, structured Markdown for full context loading. Use this skill when the user wants to extract ALL text from a PDF into context (not grep/search), when discussing or analyzing PDF content in full, when the user mentions "load the whole PDF", "bring the PDF into context", "read the entire PDF", or when partial extraction/grepping would miss important context. This is the preferred method for PDF text extraction over page-by-page or grep approaches.
Related MCP Servers
Browse all servers
Task MasterBoost productivity with Task Master: an AI-powered tool for project management and agile development workflows, integrat
Azure AllSupercharge AI platforms with Azure MCP Server for seamless Azure API Management and resource automation. Public Preview
Cairo CoderCairo Coder: Expert Cairo and Starknet development support, smart contract creation, and code refactoring via the Cairo
pg-aiguidepg-aiguide — Version-aware PostgreSQL docs and best practices tailored for AI coding assistants. Improve queries, migrat
AntV Visualization LibrariesDiscover AntV Visualization Libraries for smart documentation, code examples, and best practices in g2, g6, l7, x6, f2,
Cursor Chat HistoryAnalyze your Cursor Chat History for coding insights, development patterns, and best practices with powerful search and