From 5f7b6a8013a3f744228d32d46d169fa540aa1553 Mon Sep 17 00:00:00 2001
From: Hatter Jiang <jht5945@gmail.com>
Date: Sat, 4 Apr 2026 12:06:21 +0800
Subject: [PATCH] update readme

---
 README.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/README.md b/README.md
index fb0e62a..66e46c6 100644
--- a/README.md
+++ b/README.md
@@ -7,3 +7,11 @@
 | postmessage| Post a message to Hatter showing how to handle a confidential token |
 
 
+## SKILL Internals
+
+### How `get-secret.ts` works?
+
+On Alibaba Cloud ECS/Simple Application Server, `get-secret.ts` retrieves a PKCS#7 identity document from `100.100.100.200`. It uses this Alibaba Cloud-signed document to request secrets from the service. The server verifies the signature to authenticate the client before returning the secret value.
+
+在阿里云 ECS 或轻量应用服务器环境中，`get-secret.ts` 脚本首先从元数据服务地址 `100.100.100.200` 获取 PKCS#7 格式的身份文档。随后，脚本利用该由阿里云签名的文档向密钥管理服务发起获取请求。服务端在核验签名以完成客户端身份认证后，才会返回相应的密钥值。
+