ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Git Secrets Scanner

v1.0.0

Git 安全扫描器 - 检查提交中的敏感信息泄露(API keys、密码、token)

0· 1.3k·11 current·12 all-time
byGuohongbin@guohongbin-git
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binaries (git), and the instructions all center on scanning git repositories for secrets using gitleaks/trufflehog/git-secrets. There are no unrelated required env vars, binaries, or config paths.
Instruction Scope
SKILL.md stays on-topic (how to install and run scanners, pre-commit hooks, CI integration, history cleanup). It also includes potentially destructive but relevant guidance (BFG, git history rewriting, and `git push --force`) and a sample script for scanning multiple repos or scheduling scans which could access many repositories — these are within scope but carry operational risk. The doc mentions TruffleHog 'validation' (which can contact external services to verify secrets); users should be aware validation may send candidates to remote endpoints.
Install Mechanism
This is instruction-only (no install spec). The doc recommends installing tools via official channels (Homebrew, GitHub releases, Go install, Docker, or building from the tools' repos). No opaque download URLs or archive extraction from unknown hosts are suggested by the skill itself.
Credentials
The skill declares no required environment variables or credentials. The CI example uses GITHUB_TOKEN (normal for GitHub Actions) and git-secrets--register-aws is suggested (which configures rules rather than requiring AWS credentials). Overall requested access is proportional to scanning tasks.
Persistence & Privilege
always:false and user-invocable:true (no forced persistent presence). There is no attempt to modify other skills or system-wide agent settings in the instructions.
Assessment
This guide appears coherent and uses well-known tools, but be cautious before following destructive steps: back up repositories before rewriting history or running BFG and be careful with `git push --force`. When enabling pre-commit hooks review the hook scripts first. If you enable CI scans, give tokens (e.g., GITHUB_TOKEN) least privilege. Note that TruffleHog's validation may contact external services — if that is a concern, disable validation or run scans offline. Finally, install the recommended tools from their official project pages (not from random mirrors) and avoid running unknown install scripts as root.

Like a lobster shell, security has layers — review code before you run it.

gitvk97emxdvm2n6yjntvyz3gxj13s81fm6zlatestvk97emxdvm2n6yjntvyz3gxj13s81fm6zsecrets-scannervk97emxdvm2n6yjntvyz3gxj13s81fm6zsecurityvk97emxdvm2n6yjntvyz3gxj13s81fm6z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔒 Clawdis
Binsgit

Comments