ClawHub

Doro Git Secrets Scanner

v1.0.0

Git 安全扫描器 - 检查提交中的敏感信息泄露(API keys、密码、token)

0· 447·2 current·2 all-time
byMus Titou@a2mus
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, and required binaries (git) align with a git-focused secrets scanner. The SKILL.md consistently recommends well-known tools (gitleaks, TruffleHog, git-secrets) and shows relevant commands and config; nothing requested (no env vars or odd binaries) is unrelated to scanning git histories.
Instruction Scope
Instructions stay within the expected scope (scanning repos, pre-commit hooks, CI integration). Caution: the guide recommends actions that can be sensitive or destructive (rewriting history, git push --force, installing hooks). It also mentions TruffleHog's 'verification'—some verification steps can contact external services or provider APIs and might transmit discovered secrets during validation. Users should be aware and avoid automatic remote verification when scanning sensitive repos.
Install Mechanism
This is an instruction-only skill with no install spec or bundled code. It instructs the user to install tools via brew, go install, distro releases, or Docker — all standard, traceable installation methods. No arbitrary download-from-unknown-URL automated install is included by the skill itself.
Credentials
The skill requests no environment variables or credentials. The CI example references GITHUB_TOKEN in a typical and expected way for a GitHub Action. Nothing in requires.env or the instructions asks for unrelated secrets or system-wide credentials.
Persistence & Privilege
always:false and no autonomous install behavior are appropriate. The guide suggests installing pre-commit hooks and running repository-local commands (git secrets --install), which modify repo hooks/config but are scoped to the repo. Also advises rewriting history and force-pushing — these are privileged repository operations and should be used cautiously.
Assessment
This skill is a how-to for using common git secret-scanning tools and appears coherent. Before using it: (1) install tools from official project releases or trusted package managers; (2) avoid automatic 'verification' steps that contact external services if you don't want discovered secrets transmitted externally; (3) back up repositories before rewriting history and be cautious with git push --force; (4) pre-commit hooks alter local repo state—review them before installing; (5) rotate any real secrets found rather than relying solely on history-cleaning. Minor metadata inconsistencies (different ownerId in _meta.json and an odd package author string) are worth a quick sanity check with the publisher but do not materially change the security posture of this instruction-only skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk977d10dypr6nn522bq7wx2cx981t282

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔒 Clawdis
Binsgit

Comments