ClawHub

Skylv Secrets Scanner

v1.0.0

Scans code for leaked secrets, API keys, tokens, and passwords. Triggers: scan secrets, check api key, security scan, leaked token.

0· 116·0 current·1 all-time
by@sky-lv

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for sky-lv/skylv-secrets-scanner.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Skylv Secrets Scanner" (sky-lv/skylv-secrets-scanner) from ClawHub.
Skill page: https://clawhub.ai/sky-lv/skylv-secrets-scanner
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install skylv-secrets-scanner

ClawHub CLI

Package manager switcher

npx clawhub@latest install skylv-secrets-scanner
Security Scan
Capability signals
CryptoRequires walletRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the behavior: SKILL.md describes searching repositories for leaked secrets. The declared requirements (none) are appropriate for an instruction-only scanner. Minor inconsistency: the 'Patterns to Detect' lists multiple secret types but the provided command examples only search for GitHub tokens and AWS keys and only in .js/.py files, so the commands don't fully implement all claimed patterns.
Instruction Scope
Instructions tell the agent to recursively scan the working tree using Select-String/grep, which is expected for a repo scanner. However: (1) commands are narrowly targeted (only two regexes and file extensions), (2) there is no guidance on safe handling/storage/transmission of discovered secrets, and (3) no instruction to exclude sensitive system directories. These are usability/security hygiene gaps but not evidence of malicious intent.
Install Mechanism
No install spec and no code files (instruction-only). This minimizes disk-write risk; nothing is downloaded or installed.
Credentials
The skill requests no environment variables, credentials, or config paths — proportional to a local scanning helper.
Persistence & Privilege
always:false and no requests to modify agent/system config. The skill has normal, non-persistent invocation behavior.
Assessment
This skill is instruction-only and simply tells the agent how to run local grep/Select-String patterns to find likely secrets. Before installing: (1) confirm you trust the skill trigger and understand it will read files in the working directory (it does recursive scans); (2) note that the provided commands only check GitHub tokens and AWS keys in .js/.py files — update the commands if you need other patterns or file types; (3) add safe handling steps for any discovered secrets (rotate/secure them) and ensure findings are not sent to external services; (4) avoid running this over unrelated system dirs (home, /etc) to prevent accidental disclosure of unrelated secrets; and (5) if you expect broader coverage or automation, prefer a maintained scanner (repo with code) rather than instruction-only text so you can review the exact implementation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ejbawtypfn4zm7ys4sk8mjx859dzg
116downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@sky-lv
latest
Download

Secrets Scanner

Overview

Scans repositories for accidentally committed secrets and API keys.

When to Use

  • User asks to "scan for secrets" or "security audit"
  • Pre-commit or pre-push security check

Patterns to Detect

AWS Key: AKIA[0-9A-Z]{16} GitHub Token: ghp_[a-zA-Z0-9]{36} Generic API Key: api[_-]?key.[a-zA-Z0-9]{20,} Private Key: -----BEGIN (RSA|DSA|EC) PRIVATE KEY----- Password in URL: ://[^@]+:.@ Slack Token: xox[baprs]-[0-9]{10,13}-[0-9]{10,13}

Commands

Windows: Select-String -Path . -Include .js,.py -Recurse -Pattern "ghp_[a-zA-Z0-9]{36}"

Linux/macOS: grep -rE "ghp_[a-zA-Z0-9]{36}|AKIA[0-9A-Z]{16}" --include=".js" --include=".py" .

Prevention

Add to .gitignore: .env .key credentials. secrets.* *.pem

Comments

Loading comments...