Skylv Smart Secrets Scanner
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a legitimate secrets-scanning concept, but the reviewed package does not include the scanner it tells the agent to run, and it would handle real credentials.
Before installing or using this skill, confirm what scanner.js is and inspect it from a trusted source. Run scans only on authorized repositories, avoid sharing raw results, prefer redacted output, back up files before using auto-redact, and install the pre-commit hook only if you want ongoing automatic scanning.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent trying to use this skill may execute an unreviewed or unrelated local scanner.js while processing sensitive credentials.
The documented workflow depends on executing scanner.js, but the provided artifact set contains no code files or install spec, so the scanner implementation that would handle secrets is not reviewable or pinned.
node scanner.js scan ./src node scanner.js git-scan --depth 50 node scanner.js hook --install
Only run this after identifying and reviewing the exact scanner.js implementation from a trusted source, preferably in a sandbox.
Real API keys, tokens, private keys, or passwords could be read during a scan.
The skill is explicitly intended to access and identify credential material across local files and git history.
Detects exposed API keys, passwords, tokens, private keys, and credentials in source code, config files, environment variables, and git commit history.
Run it only on repositories you own or are authorized to audit, and avoid scanning unrelated private directories.
Secrets found by the scan could be exposed in chat history, logs, reports, or copied remediation output.
The sample output includes the full matched secret value rather than a redacted preview, which could place real secrets into agent context, logs, or summaries.
"matched": "AKIAIOSFODNN7EXAMPLE"
Prefer redacted findings, avoid sharing raw scan output, and manually rotate any real secrets that appear in output.
A redaction run could change application files and potentially break configuration if applied without review.
The skill documents a command that modifies source files by replacing detected secrets.
node scanner.js redact ./src/config.js --replace-with "[REDACTED]"
Review diffs and keep backups or use version control before running redaction commands.
Future commits may be blocked or modified by scanner behavior even after the initial task is complete.
The skill documents installing a pre-commit hook that continues to run automatically after setup.
node scanner.js hook --install # Now every commit is scanned automatically
Install the hook only if you want persistent commit-time scanning, and know how to remove or disable it.