ClawHub

DCL Secret Leak Detector

v1.0.1

Instruction-only runtime secret and credential leak detector for AI agents and LLM pipelines. Catches API keys, tokens, private keys, database URLs, and .env...

0· 52·0 current·0 all-time
byDari Rinch@daririnch
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchasesRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is an instruction-only secret/credential detector. It declares no installs, binaries, env vars, or credentials and its detection checklist and output (hashes, redacted samples, verdicts) align with that purpose.
Instruction Scope
SKILL.md gives a clear, bounded checklist: scan provided conversation text, compute SHA-256 hashes, classify matches, redact samples, and emit a deterministic fingerprint. It does not instruct reading unrelated files, other config paths, or sending data to external endpoints. (Caveat: the skill asserts 'no text leaves the agent'—that is an operational guarantee the runtime must enforce, not something the instruction file can technically enforce.)
Install Mechanism
No install spec or code files are present. Being instruction-only means nothing will be written to disk or downloaded by the skill itself.
Credentials
The skill requests no environment variables, credentials, or config paths. That is appropriate for an in-context scanner that operates on user-supplied text.
Persistence & Privilege
always is false and model invocation is default-enabled. The skill does not request permanent agent presence nor does it instruct modifying other skills or system-wide settings.
Assessment
This skill appears internally consistent and limited in scope, but review runtime and deployment controls before trusting it with sensitive production data: (1) The SKILL.md promises no network transmission, but your agent runtime or other enabled tools could still exfiltrate text — ensure the agent's connectors, tool permissions, and network egress are restricted as needed. (2) Test the detector on non-sensitive dummy secrets to validate false-positive/negative behavior and the redaction rules. (3) Confirm how and where agent logs are stored (the skill computes hashes and fingerprints that could be logged). (4) Because the skill is instruction-only and from an unknown source, prefer running it in an environment with minimal privileges and auditing enabled. If you need stronger guarantees, consider a vetted local implementation or review the detection logic integrated into your execution environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk979acp9pzy9p1eebss4ptyycn84szqc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments