🔍
12917 skills
← All skills
Tencent SkillHub · Developer Tools

Credential Scanner

Scans files, repos, and directories for leaked secrets — API keys, tokens, passwords, connection strings, private keys, and credentials. Detects 40+ secret p...

skill openclawclawhub Free
0 Downloads
0 Stars
0 Installs
0 Score
High Signal

Scans files, repos, and directories for leaked secrets — API keys, tokens, passwords, connection strings, private keys, and credentials. Detects 40+ secret p...

⬇ 0 downloads ★ 0 stars Unverified but indexed

Install for OpenClaw

Quick setup
  1. Download the package from Yavira.
  2. Extract the archive and review SKILL.md first.
  3. Import or place the package into your OpenClaw setup.

Requirements

Target platform
OpenClaw
Install method
Manual import
Extraction
Extract archive
Prerequisites
OpenClaw
Primary doc
SKILL.md

Package facts

Download mode
Yavira redirect
Package format
ZIP package
Source platform
Tencent SkillHub
What's included
README.md, secret_scanner.py, SKILL.md

Validation

  • Use the Yavira download entry.
  • Review SKILL.md after the package is downloaded.
  • Confirm the extracted package contains the expected setup assets.

Install with your agent

Agent handoff

Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.

  1. Download the package from Yavira.
  2. Extract it into a folder your agent can access.
  3. Paste one of the prompts below and point your agent at the extracted folder.
New install

I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete.

Upgrade existing

I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run.

Open Send to Agent page Open JSON manifest Open Markdown brief

Trust & source

Release facts

Source
Tencent SkillHub
Verification
Indexed source record
Version
0.1.0

Documentation

ClawHub primary doc Primary doc: SKILL.md 19 sections Open source page

Secret Scanner

Security skill that scans code, config files, and repos for accidentally leaked secrets and credentials.

When to Use This Skill

Use this skill when the user: Asks to "check for leaked secrets" or "scan for API keys" Wants to audit a repo or folder before committing or publishing Says "are there any hardcoded passwords in this code?" Asks to "find credentials" or "check for exposed tokens" Wants pre-commit or pre-publish security checks Mentions concern about accidentally checking in secrets

Capabilities

Detect 40+ secret patterns including: AWS Access Keys, Secret Keys, Session Tokens Azure Storage Keys, Connection Strings, SAS Tokens GCP Service Account Keys, API Keys GitHub / GitLab / Bitbucket Personal Access Tokens OpenAI, Anthropic, Hugging Face API Keys Slack Bot Tokens, Webhooks Stripe, Twilio, SendGrid Keys Database connection strings (MongoDB, PostgreSQL, MySQL, Redis) SSH Private Keys, PEM/PFX Certificates JWT Tokens, Bearer Tokens Generic passwords in config files (password=, secret=, token=) Scan individual files, directories, or entire repos recursively Ignore binary files, node_modules, .git, and other non-relevant paths Output results as Markdown report or JSON Provide severity ratings (Critical, High, Medium, Low) Suggest remediation for each finding

Scan a directory

python secret_scanner.py /path/to/project

Scan with JSON output

python secret_scanner.py /path/to/project --json

Scan and save report

python secret_scanner.py /path/to/project --output report.md

Within an Agent

"Scan this project for leaked secrets" "Check if there are any API keys in the codebase" "Run secret-scanner on the current directory" "Find hardcoded passwords in my config files" "Audit this repo before I push to GitHub"

Cloud Provider Keys

ProviderSecrets DetectedAWSAccess Key ID (AKIA...), Secret Access Key, Session TokenAzureStorage Account Key, Connection String, SAS Token, Client SecretGCPAPI Key (AIza...), Service Account JSON, OAuth Client Secret

AI / LLM Keys

ServicePatternOpenAIsk- prefixed API keysAnthropicsk-ant- prefixed keysHugging Facehf_ prefixed tokensCohereAPI keys in config

Developer Platforms

PlatformSecrets DetectedGitHubghp_, gho_, ghu_, ghs_, ghr_ tokensGitLabglpat- tokensSlackxoxb-, xoxp-, xoxs- tokens, webhook URLsStripesk_live_, sk_test_, rk_live_ keysTwilioAccount SID, Auth TokenSendGridSG. prefixed API keys

Databases & Infrastructure

TypePatternMongoDBmongodb:// or mongodb+srv:// with credentialsPostgreSQLpostgresql:// with embedded passwordMySQLmysql:// with embedded passwordRedisredis:// with passwordSSH-----BEGIN (RSA|EC|OPENSSH) PRIVATE KEY-----CertificatesPEM, PFX, P12 with embedded keys

Generic Patterns

PatternDescriptionpassword=Hardcoded passwords in config/env filessecret=Hardcoded secretstoken=Hardcoded tokensBearerBearer tokens in codeBasic AuthBase64-encoded basic auth headersJWTeyJ prefixed JWT tokensHigh EntropyLong random strings that look like secrets

Severity Levels

SeverityDescriptionExamples🔴 CriticalActive production credentialsAWS Secret Key, Private Keys, DB passwords🟠 HighService tokens with broad accessGitHub PAT, Slack Bot Token, Stripe Live Key🟡 MediumKeys that may be test/devTest API keys, example tokens🟢 LowPotential false positivesGeneric password= in comments, placeholder values

Files Scanned

Scans these file types by default: Source code: .py, .js, .ts, .java, .go, .rb, .php, .cs, .rs Config: .json, .yaml, .yml, .toml, .ini, .cfg, .conf Environment: .env, .env.local, .env.production Shell: .sh, .bash, .zsh, .ps1 Docs: .md, .txt Other: Dockerfile, docker-compose.yml, Makefile

Ignored Paths

Automatically skips: node_modules/, vendor/, venv/, .venv/ .git/, .svn/ __pycache__/, .pytest_cache/ Binary files, images, compiled outputs package-lock.json, yarn.lock

Remediation Guidance

When secrets are found, the skill recommends: Rotate the secret immediately — assume it's compromised Remove from code — use environment variables or a secrets manager instead Add to .gitignore — prevent .env and credential files from being committed Use git-filter-repo — to remove secrets from git history Enable pre-commit hooks — to catch secrets before they're committed

Requirements

Python 3.7+ No additional dependencies (uses Python standard library)

Entry Point

CLI: secret_scanner.py

Tags

#security #secrets #credentials #api-keys #tokens #passwords #scanner #audit #pre-commit #leak-detection #cloud #aws #azure #gcp #devops

Category context

Code helpers, APIs, CLIs, browser automation, testing, and developer operations.

Source: Tencent SkillHub

Largest current source with strong distribution and engagement signals.

Package contents

Included in package
2 Docs1 Scripts
  • SKILL.md Primary doc
  • README.md Docs
  • secret_scanner.py Scripts

Related skills

readyClaw Free
Featured

API Architect

Design contracts before code

Designs contracts before implementation and treats REST, GraphQL, and gRPC as tools rather than dogma.

Developer Tools agent claude
souls.zip $149
Featured

The Dev Team

A four-agent engineering squad for shipping products

Four-agent engineering team spanning CTO, frontend, backend, and design roles, built to mirror the stack behind souls.zip.

Developer Tools team openclaw
readyClaw Free
Featured

Web Platform Engineer

Build for the open web with strong fundamentals

A web engineering agent grounded in HTML semantics, CSS layout systems, and browser-native resilience.

Developer Tools agent claude