Git Secrets Scanner
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent, instruction-only Git secret-scanning guide, but users should handle found secrets, third-party installs, persistent hooks or cron jobs, and force-push cleanup steps carefully.
This skill appears safe as an instruction-only guide for Git secret scanning. Before using it, install tools only from trusted sources, run scans only on repositories you intend to inspect, protect or redact scan output, enable hooks or cron jobs only deliberately, and do not run BFG or force-push cleanup commands without backups and team coordination.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the scanner may reveal real keys or passwords to anyone who can see the agent conversation, terminal output, CI logs, or saved scan reports.
The skill is designed to find and display credentials or tokens from repository history, which is expected for this purpose but sensitive if exposed in transcripts, logs, or reports.
"检查提交中的敏感信息泄露(API keys、密码、token)" and output example "Secret: moltbook_sk_..."
Run it only on intended repositories, redact findings before sharing logs, and revoke or rotate any real secret that appears.
A user could install whatever version is current at the time, and the sudo install path can modify the local system.
The installation guidance uses external tools and unpinned latest versions, including one privileged source-build install path. This is normal for a tool guide but affects provenance and reproducibility.
"go install github.com/gitleaks/gitleaks/v8@latest", "docker pull trufflesecurity/trufflehog:latest", and "sudo make install"
Prefer official release channels, pin versions where possible, verify downloads or checksums, and avoid privileged installs unless necessary.
Scans may run automatically on future commits or on a weekly schedule if the user sets them up.
The skill documents optional pre-commit hook and cron examples that continue running after initial setup. They are explicit best-practice examples, not hidden persistence.
"git secrets --install" and "0 0 * * 0 cd /path/to/repo && gitleaks detect --source ."
Enable hooks or cron jobs only when desired, document them for the project, and remove or update them when no longer needed.
A force push or BFG cleanup can rewrite shared Git history, disrupt collaborators, or remove files from history.
The remediation section includes repository history rewriting and force-push commands. These are appropriate for secret cleanup but can be disruptive if run without coordination.
"删除历史 - 从 git 历史中删除敏感信息", "强制推送 - `git push --force`(谨慎使用)", and "bfg --delete-files .env"
Use these cleanup commands only with explicit user approval, backups, team coordination, and preferably safer force-push practices such as force-with-lease.