ggshield Secret Scanner
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: ggshield-scanner Version: 1.0.2 The skill is classified as suspicious due to its reliance on executing external binaries (`ggshield`, `git`, and implicitly `docker`) via `subprocess.run` and its ability to install git hooks, which modifies the local git repository. While these high-risk capabilities (shell execution, file system modification, network access via `ggshield` to GitGuardian API) are transparently documented in SKILL.md and README.md and are necessary for the stated purpose of a secret scanning tool, they represent significant potential for misuse if the `ggshield` binary itself were compromised or if the skill were to be modified. There is no clear evidence of intentional malicious behavior or prompt injection attempts against the agent within the provided files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can run ggshield against local repositories, files, staged changes, or Docker images that the user or agent selects.
The skill executes the local ggshield CLI with arguments derived from its scan methods. This is central to the stated purpose and uses an argument list rather than a shell, but it still gives the agent a local scanning tool over user-specified paths/images.
command = ["ggshield", *args] ... result = subprocess.run(command, capture_output=True, text=True, env=env)
Only authorize scans for intended project paths or images, and make sure the ggshield binary on PATH is the trusted GitGuardian CLI.
The skill can use the configured GitGuardian account for scans, and the API key must be protected like any other credential.
The skill requires a GitGuardian API key and passes it into the ggshield subprocess environment. This is expected for GitGuardian scanning, but it is still account credential use.
self.api_key_env = "GITGUARDIAN_API_KEY"
...
env = {**os.environ, self.api_key_env: api_key}Use a revocable, least-privileged GitGuardian API key where possible, store it outside the repository, and rotate it if exposed.
Some information about scanned files and findings may leave the local environment for GitGuardian's service.
The documentation discloses that scan metadata is sent to GitGuardian. This provider data flow is purpose-aligned, but file paths, line numbers, and detection metadata can still be sensitive.
What Data is Sent to GitGuardian? ... Hash of the secret pattern ... File path (relative path only) ... Line number
Review GitGuardian's current privacy documentation and avoid scanning repositories or files whose metadata must not be shared with the provider.
Future commits or pushes in that repository may be blocked if ggshield detects secrets.
The install_hooks method installs a local git hook that continues running on future commits or pushes. This persistence is disclosed and purpose-aligned, but it changes repository behavior after the initial agent action.
self._run_ggshield("install", "--mode", "local", "--hook-type", hook_type)Require explicit user approval before installing hooks and document how to remove or change them if they interfere with workflow.
Users could be unsure whether they are installing an official GitGuardian-maintained skill or a third-party wrapper.
The README's manual install source differs from the supplied registry homepage pointing to a GitGuardian organization repository. This is not evidence of malicious behavior, but it is a provenance detail users should verify for a security-related skill.
git clone https://github.com/achillemascia/ggshield-skill.git ~/.moltbot/skills/ggshield-scanner
Verify the intended repository, maintainer, and package source before installation, especially because the skill handles code-scanning and an API key.