ClawHub

Secret Exposure Gate

v1.0.0

在发布前检查目录中是否含秘钥、token、私有 URL、证书片段或凭证文件。;use for secrets, security, preflight workflows;do not use for 显示完整密钥值, 修改用户文件.

0· 88·0 current·0 all-time
byvx:17605205782@52yuanchangxing
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (secret preflight scanning) align with required binaries (python3), included scripts, and resource files. The skill operates on a user-supplied path and only needs local filesystem access — this is proportionate to the stated purpose.
Instruction Scope
SKILL.md restricts behavior (do not display full keys, do not modify files) and instructs running the local script or generating output from templates. The provided script follows those boundaries overall, but its redaction is inconsistent: the 'secret_like' pattern is masked, but other findings (e.g., private URLs, command snippets) may be emitted verbatim (snippet truncated to 160 chars). This is a minor mismatch with the 'do not display full key values' guideline and could expose sensitive URL paths or fragments in some cases.
Install Mechanism
No install spec; script is instruction-only with a local Python script included. This is low-risk: nothing is downloaded or installed automatically. The only runtime requirement is python3 (declared).
Credentials
No environment variables, credentials, or config paths are requested. The script reads files from the user-provided directory only, which matches the scanning purpose.
Persistence & Privilege
Skill is not always:true, does not request persistent privileges, and contains no code that modifies other skills or global agent settings. Autonomous invocation is allowed (default) but not excessive given the skill's local audit role.
Assessment
This skill appears to be what it says: a local, read-only preflight scanner implemented in a Python script and templates. Before installing/using it: (1) Only run it against directories you expect it to read — it will open and scan text files under the provided path. (2) The script masks long-looking secrets matched by the 'secret_like' regex, but other matches (private URLs, command snippets) may be shown verbatim or partially; avoid pointing it at production secrets you cannot re-share. (3) Review and, if needed, extend the redaction rules (e.g., mask full URLs or additional secret patterns) and test on a non-sensitive sample. (4) Use --dry-run and inspect output locally; do not pipe results to external services without redaction. If the script ever attempts network access, asks for credentials, or an install spec appears that downloads code from an external URL, re-evaluate (those would change the assessment).

Like a lobster shell, security has layers — review code before you run it.

latestvk974q0gjkff7eag5tv780zzbm583765g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔐 Clawdis
OSmacOS · Linux · Windows
Binspython3

Comments