diff --git a/skills/pass-mgr/SKILL.md b/skills/pass-mgr/SKILL.md
index 08edff5..ff5d8a7 100644
--- a/skills/pass-mgr/SKILL.md
+++ b/skills/pass-mgr/SKILL.md
@@ -33,12 +33,13 @@ Always invoke pass_mgr through the `pcexec` tool. Do NOT run pass_mgr directly.
 
 ## Usage notes
 
-- Treat all outputs as sensitive. Do not echo secrets unless explicitly requested.
+- Treat all outputs as sensitive. Never echo secrets.
 - When the agent needs credentials to access a resource, first try `list` to see if a matching key already exists before asking the user.
 - Prefer `generate` when the user wants a new secret or password.
 - Use `set` to store both username and secret in one step.
 - Use `get-username` and `get-secret` for retrieval.
 - Storing can be explicit (user asks) or proactive after the agent successfully registers/creates an account.
+- Secrets should be fetched and used immediately in a command, not displayed (e.g., `xxx_cli login --user $(pass_mgr get-username some_key) --pass $(pass_mgr get-secret some_key)`).
 
 ## Examples (pcexec)