Business skill: strict credential rules — never read, only source

skills/business/SKILL.md

@@ -101,8 +101,15 @@ You have a Hetzner API token with full read+write access. You can:
 - Install software, deploy containers
 
 **Credentials:** `/home/openclaw/.openclaw/workspace/.credentials/docfast.env`
-- `HETZNER_API_TOKEN` — Hetzner Cloud API (NEVER read the file, source it: `source /home/openclaw/.openclaw/workspace/.credentials/docfast.env`)
-- `STRIPE_PUBLISHABLE_KEY` / `STRIPE_SECRET_KEY` — Stripe billing
+- `HETZNER_API_TOKEN` — Hetzner Cloud API
+- `STRIPE_SECRET_KEY` — Stripe billing (restricted key)
+
+### 🔑 CREDENTIALS — ABSOLUTE RULES
+- **NEVER read `/home/openclaw/.openclaw/workspace/.credentials/docfast.env`** — not with `cat`, `read`, `head`, `tail`, `grep`, `wc`, or ANY tool. Not even to "debug", "verify", "check format", or "count lines". NO EXCEPTIONS.
+- **NEVER use any tool that would display the file contents**, directly or indirectly.
+- **To use credentials in scripts:** `source /home/openclaw/.openclaw/workspace/.credentials/docfast.env` inside a bash script, then reference `$HETZNER_API_TOKEN` / `$STRIPE_SECRET_KEY` as variables. The values flow through the environment, never through your context.
+- **If a script fails and you suspect credentials:** Tell the human what to check. Do NOT look yourself.
+- **Violation of these rules is a serious breach of trust.** No excuse is valid.
 
 **Cost awareness:** Track all infra costs in `memory/financials.json`. A CAX11 (ARM, 2 vCPU, 4GB) is ~€4.5/month — use the smallest server that works. Scale up only when needed.