ClawHub

secrets-audit

v1.0.0

Scan projects and codebases for exposed secrets, API keys, tokens, passwords, and sensitive credentials. Detects hardcoded secrets in source code, config fil...

0· 65·0 current·0 all-time
by@charlie-morrison
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchasesRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description, SKILL.md, and scripts/scan_secrets.py are consistent: the script implements pattern matching, entropy checks, directory skipping, CI exit codes, and optional git-history scanning. The skill does not request unrelated credentials, binaries, or configuration paths.
Instruction Scope
Runtime instructions only direct the agent to run the included Python scanner against a target directory (with an optional --git-history flag). The SKILL.md and script operate entirely on local files and git history; there are no instructions to transmit data to external endpoints. The git-history checks use git subprocess calls, which is expected for this purpose.
Install Mechanism
No install spec; the skill is instruction-plus-script only and relies on Python stdlib. Nothing is downloaded or installed by the skill itself.
Credentials
The skill requests no environment variables or credentials. It scans repositories provided by the user; no additional secrets are requested or required.
Persistence & Privilege
always:false and no special persistence or system-wide modifications. The skill does not claim to modify other skills or global agent settings.
Assessment
This skill appears coherent and implements a local secrets scanner as advertised. Before running it: (1) review the script (especially the git-history code) to ensure it matches your policies; (2) run it against a copy of the repository or in an isolated environment (container/VM) if the project contains very sensitive data; (3) be aware the script invokes git via subprocess.run for history checks — that's expected but review/limit where you run it; (4) there is a minor code bug near the end of scan_git_history (an apparent undefined variable reference) — consider fixing or reviewing the full script before CI/automation use; (5) the scanner uses entropy heuristics and regex rules that can produce false positives/negatives—review findings manually and rotate any real/high-severity credentials immediately; (6) do not assume the tool uploads results anywhere (it doesn't in the provided files), but verify you trust any environment where you run it.

Like a lobster shell, security has layers — review code before you run it.

latestvk975v1qyek0trj6yp9b16hq65d84kpsy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments