Secret Detection
v1.0.0Git hook to detect secrets before commit.
⭐ 0· 340·1 current·1 all-time
byDerick@derick001
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, SKILL.md, and the included Python script all implement a git pre-commit secret scanner. Requested binaries (git, python3) are appropriate and used by the script (git used to list staged files; python3 runs the scanner). No unexpected services or credentials are required.
Instruction Scope
Instructions focus on installing a repo-local pre-commit hook and scanning staged or specified files, which matches the code. Minor discrepancies: SKILL.md and README state the script prints the first 20 characters of detected secrets, but the hook-run path prints up to 60 characters of the file content in the commit-blocking output. The script reads file contents and prints matched secret substrings to stdout — expected for identification but a potential privacy/secret-leak risk (terminal, CI logs).
Install Mechanism
No remote downloads or package installs; install simply writes a .git/hooks/pre-commit file that invokes the local script. This is standard for repo-local git hooks and does not introduce high-risk install behavior.
Credentials
The skill requests no environment variables or external credentials, which is appropriate. However, it prints portions of detected secrets to the console (and JSON output includes the secret in full under 'secret' field), which may expose secrets to terminal history, CI logs, or other observers. Consideration should be given to redaction before printing/storing findings.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide persistence. Its install writes only to the repository's .git/hooks directory; it does not modify other skills or global agent settings.
Assessment
This skill appears to do what it says: a local git pre-commit scanner implemented in Python that requires git and python3. Before installing, review the script (scripts/main.py) yourself. Key points to consider:
- The scanner prints matched secrets (it includes a 'secret' field in its JSON output and prints a substring to the console). That can expose sensitive values in terminal history or CI logs — if you use this in CI or shared terminals, prefer redaction or change the script to mask secrets (e.g., show only the match type and filename/line, not the secret substring).
- Installation is repo-local (.git/hooks/pre-commit). It will only run in that repository; it does not request external network access or credentials.
- The README/SKILL.md claim it prints the first 20 characters of secrets, but the hook output prints up to 60 characters of file content — a small inconsistency to be aware of and correct if you want stricter redaction.
- If you need organization-wide enforcement, consider a vetted tool (e.g., git-secrets, pre-commit frameworks, or a centralized scanning solution) rather than per-repo hooks.
If you decide to install: run the script in a test repository first, and consider editing the scanner to mask or not include the actual secret value in outputs and saved logs.Like a lobster shell, security has layers — review code before you run it.
latestvk97em5c8bjax8mcs630v7nq70581vv8z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsgit, python3