ClawHub

Secret Detection

v1.0.0

Git hook to detect secrets before commit.

0· 376·1 current·1 all-time
byDerick@derick001
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, and the included Python script all implement a git pre-commit secret scanner. Requested binaries (git, python3) are appropriate and used by the script (git used to list staged files; python3 runs the scanner). No unexpected services or credentials are required.
Instruction Scope
Instructions focus on installing a repo-local pre-commit hook and scanning staged or specified files, which matches the code. Minor discrepancies: SKILL.md and README state the script prints the first 20 characters of detected secrets, but the hook-run path prints up to 60 characters of the file content in the commit-blocking output. The script reads file contents and prints matched secret substrings to stdout — expected for identification but a potential privacy/secret-leak risk (terminal, CI logs).
Install Mechanism
No remote downloads or package installs; install simply writes a .git/hooks/pre-commit file that invokes the local script. This is standard for repo-local git hooks and does not introduce high-risk install behavior.
Credentials
The skill requests no environment variables or external credentials, which is appropriate. However, it prints portions of detected secrets to the console (and JSON output includes the secret in full under 'secret' field), which may expose secrets to terminal history, CI logs, or other observers. Consideration should be given to redaction before printing/storing findings.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide persistence. Its install writes only to the repository's .git/hooks directory; it does not modify other skills or global agent settings.
Assessment
This skill appears to do what it says: a local git pre-commit scanner implemented in Python that requires git and python3. Before installing, review the script (scripts/main.py) yourself. Key points to consider: - The scanner prints matched secrets (it includes a 'secret' field in its JSON output and prints a substring to the console). That can expose sensitive values in terminal history or CI logs — if you use this in CI or shared terminals, prefer redaction or change the script to mask secrets (e.g., show only the match type and filename/line, not the secret substring). - Installation is repo-local (.git/hooks/pre-commit). It will only run in that repository; it does not request external network access or credentials. - The README/SKILL.md claim it prints the first 20 characters of secrets, but the hook output prints up to 60 characters of file content — a small inconsistency to be aware of and correct if you want stricter redaction. - If you need organization-wide enforcement, consider a vetted tool (e.g., git-secrets, pre-commit frameworks, or a centralized scanning solution) rather than per-repo hooks. If you decide to install: run the script in a test repository first, and consider editing the scanner to mask or not include the actual secret value in outputs and saved logs.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsgit, python3
latestvk97em5c8bjax8mcs630v7nq70581vv8z
376downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
Derick@derick001
latest
Download

Secret Detection

What This Does

This skill provides a git pre‑commit hook that scans staged files for common secret patterns (API keys, passwords, tokens) and blocks the commit if any are found. It helps prevent accidental leakage of secrets to public repositories.

Inputs: Git staged files (automatically scanned by the hook) or manual file paths.
Outputs: Detection report with line numbers; non‑zero exit code if secrets found.

When To Use

Use this skill when:

  • You work with repositories that may contain sensitive credentials
  • You want to prevent accidental commits of secrets
  • You need a lightweight, local secret scanner for git workflows
  • You want to enforce security checks before pushing to remote

Usage

Installation

# Install the hook in your git repository
./scripts/main.py install

Manual Scan

# Scan specific files
./scripts/main.py scan --file path/to/file

# Scan all staged files (like the hook does)
./scripts/main.py scan --staged

Hook Behavior

  • The hook runs automatically on git commit
  • If secrets are detected, the commit is blocked
  • The script prints the detected secrets with file names and line numbers
  • Exit code 0 = no secrets found; exit code 1 = secrets found

Examples

Example 1: Installing the Hook

$ ./scripts/main.py install
✓ Pre-commit hook installed at .git/hooks/pre-commit
✓ Hook will scan for secrets on every commit

Example 2: Secret Detection Blocking a Commit

$ git commit -m "Add config"
⚠️  Secret detected in config.yaml line 12: AWS_ACCESS_KEY_ID=AKIA...
⚠️  Secret detected in .env line 3: PASSWORD=secret123
✗ Commit blocked: 2 secrets found

Example 3: Manual Scan

$ ./scripts/main.py scan --staged
Scanning 3 staged files...
✓ config.yaml: clean
✓ .env: clean  
✓ src/main.py: clean
✓ No secrets found

Requirements

  • Git (for hook installation)
  • Python 3.6+ (for the scanner)
  • No external API keys or services needed

Limitations

  • Only detects common secret patterns (AWS keys, GitHub tokens, passwords, etc.)
  • May produce false positives (e.g., long random strings that aren't actually secrets)
  • Does not scan binary files
  • Requires manual installation per repository
  • Does not replace comprehensive secret‑management solutions
  • Prints first 20 characters of detected secrets to console for identification purposes

Comments

Loading comments...