I noticed there are a lot of world-readable `www/python/src/config.yaml` files in tool home directories. (This is the standard configuration file path for Flask-based tools following the [Wikitech guide](https://wikitech.wikimedia.org/wiki/Help:Toolforge/My_first_Flask_OAuth_tool) and/or [cookiecutter-toolforge](https://github.com/lucaswerkmeister/cookiecutter-toolforge).) 21 of them seem to contain a [secret key](https://flask.palletsprojects.com/en/2.0.x/config/#SECRET_KEY) (Flask’s way of protecting the session cookie against tampering) and/or OAuth credentials.
```lang=shell-session
lucaswerkmeister@tools-sgebastion-07:~$ for file in /data/project/*/www/python/src/config.yaml; do if grep -qi -e secret_key -e oauth "$file" 2>/dev/null; then printf '%s\n' "$file"; fi; done
/data/project/brazilianlaws/www/python/src/config.yaml
/data/project/clpo13-flask/www/python/src/config.yaml
/data/project/funpedia/www/python/src/config.yaml
/data/project/glam2commons/www/python/src/config.yaml
/data/project/image-annotator/www/python/src/config.yaml
/data/project/ipwatcher/www/python/src/config.yaml
/data/project/k8s-status/www/python/src/config.yaml
/data/project/massmailer/www/python/src/config.yaml
/data/project/qrcode-generator/www/python/src/config.yaml
/data/project/sibutest/www/python/src/config.yaml
/data/project/toolviews/www/python/src/config.yaml
/data/project/tsbot/www/python/src/config.yaml
/data/project/visualcategories/www/python/src/config.yaml
/data/project/wdbeoupdate/www/python/src/config.yaml
/data/project/wikibrasoes/www/python/src/config.yaml
/data/project/wikifile-transfer/www/python/src/config.yaml
/data/project/wikimarcas/www/python/src/config.yaml
/data/project/wikimotivos/www/python/src/config.yaml
/data/project/wikiquantos/www/python/src/config.yaml
/data/project/wikiroupas/www/python/src/config.yaml
/data/project/wikiusos/www/python/src/config.yaml
```
(Specifically, 19 files match SECRET_KEY, and 19 match OAuth case-insensitively, and these sets mostly but not entirely overlap. Also, until a few hours ago, Wikidata Lexeme Forms was another one of these tools, see T286414.)
These should probably all be only user-accessible (`chmod 600`).
==== Affected tools
[ ] brazilianlaws
[ ] clpo13-flask
[ ] funpedia
[ ] glam2commons
[ ] image-annotator
[X] ipwatcher
[ ] k8s-status
[X] massmailer
[ ] qrcode-generator
[ ] sibutest
[ ] toolviews
[X] tsbot
[ ] visualcategories
[X] wdbeoupdate (test tool)
[ ] wikibrasoes
[ ] wikifile-transfer
[ ] wikimarcas
[ ] wikimotivos
[ ] wikiquantos
[ ] wikiroupas
[ ] wikiusos