Skylv Smart Secrets Scanner
PassAudited by VirusTotal on May 4, 2026.
Overview
Type: OpenClaw Skill Name: skylv-smart-secrets-scanner Version: 1.0.0 The skill bundle describes a legitimate security utility designed to scan codebases and git history for exposed credentials and API keys. The documentation (SKILL.md) outlines standard security practices such as pre-commit hooks and auto-redaction, and the metadata (_meta.json) is consistent with the tool's stated purpose. No evidence of malicious intent, data exfiltration, or prompt injection was found in the provided files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent trying to use this skill may execute an unreviewed or unrelated local scanner.js while processing sensitive credentials.
The documented workflow depends on executing scanner.js, but the provided artifact set contains no code files or install spec, so the scanner implementation that would handle secrets is not reviewable or pinned.
node scanner.js scan ./src node scanner.js git-scan --depth 50 node scanner.js hook --install
Only run this after identifying and reviewing the exact scanner.js implementation from a trusted source, preferably in a sandbox.
Real API keys, tokens, private keys, or passwords could be read during a scan.
The skill is explicitly intended to access and identify credential material across local files and git history.
Detects exposed API keys, passwords, tokens, private keys, and credentials in source code, config files, environment variables, and git commit history.
Run it only on repositories you own or are authorized to audit, and avoid scanning unrelated private directories.
Secrets found by the scan could be exposed in chat history, logs, reports, or copied remediation output.
The sample output includes the full matched secret value rather than a redacted preview, which could place real secrets into agent context, logs, or summaries.
"matched": "AKIAIOSFODNN7EXAMPLE"
Prefer redacted findings, avoid sharing raw scan output, and manually rotate any real secrets that appear in output.
A redaction run could change application files and potentially break configuration if applied without review.
The skill documents a command that modifies source files by replacing detected secrets.
node scanner.js redact ./src/config.js --replace-with "[REDACTED]"
Review diffs and keep backups or use version control before running redaction commands.
Future commits may be blocked or modified by scanner behavior even after the initial task is complete.
The skill documents installing a pre-commit hook that continues to run automatically after setup.
node scanner.js hook --install # Now every commit is scanned automatically
Install the hook only if you want persistent commit-time scanning, and know how to remove or disable it.