ClawHub

Credential Scanner

v0.1.0

Scans files, repos, and directories for leaked secrets — API keys, tokens, passwords, connection strings, private keys, and credentials. Detects 40+ secret p...

0· 639·0 current·0 all-time
bynirwan dogra@nirwandogra·duplicate of @nirwandogra/nirwan-secret-scanner
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description (scan repos for leaked secrets) match the included CLI script, README, and SKILL.md. The patterns and file types described are consistent with a secret scanner; nothing is requesting unrelated cloud credentials or external services.
Instruction Scope
SKILL.md instructs the agent/user to run the bundled Python script against a path, output JSON/Markdown, and follow remediation steps. Instructions do not tell the agent to read unrelated system files, environment variables, or to transmit findings to external endpoints.
Install Mechanism
No install spec (instruction-only with a single Python script). The skill claims zero external dependencies and the Python file imports only standard-library modules (os, re, sys, json, argparse, etc.), which matches that claim.
Credentials
The skill declares no required environment variables, no primary credential, and no config paths. The scanner legitimately doesn't need secrets to operate, so no secret-env access is requested or required.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request persistent system-wide privileges or modify other skills' configs. Autonomous invocation is allowed by platform default but there are no additional privileges requested by the skill.
Assessment
This skill appears to be a straightforward local secret scanner and is internally consistent. Before installing or running it: (1) review the script yourself if you will run it in sensitive environments (we checked imports and saw only standard-library modules); (2) run it locally (or in an isolated environment) on the target repo — the tool will read files recursively and can surface sensitive data; (3) treat any findings as potentially compromised (rotate keys immediately) and avoid uploading raw reports that contain secret previews to public services; (4) if you plan to let an autonomous agent run this skill, ensure the agent is not configured to post scan results to external endpoints you did not approve. If you want even higher assurance, paste the full secret_scanner.py source into a code reviewer or run it in a sandboxed container to confirm behavior in your environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk977ayje497mqf84171bb0j14581cv34

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments