Doro Git Secrets Scanner

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Git secret-scanning guide, but its history-rewrite cleanup steps need careful human judgment.

Install only trusted versions of the referenced tools. Treat scan results as confidential because they may expose live secrets. Rotate leaked credentials first, and only rewrite Git history or force-push after backing up the repository, coordinating with collaborators, and understanding how teammates will recover their local clones.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill instructs users to rewrite Git history and then force-push, which is a destructive operation that can disrupt collaborators, invalidate forks/PRs, and permanently alter repository history. Although it includes a brief 'use cautiously' note, it does not explicitly warn about the operational impact, recovery requirements, or coordination steps needed before rewriting shared history.

Tool Parameter Abuse

High

Category: Tool Misuse
Content: 1. **立即撤销** - 重新生成 API key 2. **删除历史** - 从 git 历史中删除敏感信息 3. **强制推送** - `git push --force`（谨慎使用） 4. **通知团队** - 告知其他开发者 ### 使用 BFG 清理历史
Confidence: 89% confidence
Finding: git push --force`（谨慎使用） 4. **通知团队** - 告知其他开发者 ### 使用 BFG 清理历史 ```bash # 安装 BFG brew install bfg # 清理敏感文件 bfg --delete-files .env # 清理敏感字符串 bfg --replace-text passwords.txt # 强制推送 git push --force

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal