{ "schemaVersion": "1.0", "item": { "slug": "credential-scanner", "name": "Credential Scanner", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/nirwandogra/credential-scanner", "canonicalUrl": "https://clawhub.ai/nirwandogra/credential-scanner", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/credential-scanner", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=credential-scanner", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "README.md", "secret_scanner.py", "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T16:55:25.780Z", "expiresAt": "2026-05-07T16:55:25.780Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentDisposition": "attachment; filename=\"network-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/credential-scanner" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/credential-scanner", "agentPageUrl": "https://openagent3.xyz/skills/credential-scanner/agent", "manifestUrl": "https://openagent3.xyz/skills/credential-scanner/agent.json", "briefUrl": "https://openagent3.xyz/skills/credential-scanner/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Secret Scanner", "body": "Security skill that scans code, config files, and repos for accidentally leaked secrets and credentials." }, { "title": "When to Use This Skill", "body": "Use this skill when the user:\n\nAsks to \"check for leaked secrets\" or \"scan for API keys\"\nWants to audit a repo or folder before committing or publishing\nSays \"are there any hardcoded passwords in this code?\"\nAsks to \"find credentials\" or \"check for exposed tokens\"\nWants pre-commit or pre-publish security checks\nMentions concern about accidentally checking in secrets" }, { "title": "Capabilities", "body": "Detect 40+ secret patterns including:\n\nAWS Access Keys, Secret Keys, Session Tokens\nAzure Storage Keys, Connection Strings, SAS Tokens\nGCP Service Account Keys, API Keys\nGitHub / GitLab / Bitbucket Personal Access Tokens\nOpenAI, Anthropic, Hugging Face API Keys\nSlack Bot Tokens, Webhooks\nStripe, Twilio, SendGrid Keys\nDatabase connection strings (MongoDB, PostgreSQL, MySQL, Redis)\nSSH Private Keys, PEM/PFX Certificates\nJWT Tokens, Bearer Tokens\nGeneric passwords in config files (password=, secret=, token=)\n\n\nScan individual files, directories, or entire repos recursively\nIgnore binary files, node_modules, .git, and other non-relevant paths\nOutput results as Markdown report or JSON\nProvide severity ratings (Critical, High, Medium, Low)\nSuggest remediation for each finding" }, { "title": "Scan a directory", "body": "python secret_scanner.py /path/to/project" }, { "title": "Scan with JSON output", "body": "python secret_scanner.py /path/to/project --json" }, { "title": "Scan and save report", "body": "python secret_scanner.py /path/to/project --output report.md" }, { "title": "Within an Agent", "body": "\"Scan this project for leaked secrets\"\n\"Check if there are any API keys in the codebase\"\n\"Run secret-scanner on the current directory\"\n\"Find hardcoded passwords in my config files\"\n\"Audit this repo before I push to GitHub\"" }, { "title": "Cloud Provider Keys", "body": "ProviderSecrets DetectedAWSAccess Key ID (AKIA...), Secret Access Key, Session TokenAzureStorage Account Key, Connection String, SAS Token, Client SecretGCPAPI Key (AIza...), Service Account JSON, OAuth Client Secret" }, { "title": "AI / LLM Keys", "body": "ServicePatternOpenAIsk- prefixed API keysAnthropicsk-ant- prefixed keysHugging Facehf_ prefixed tokensCohereAPI keys in config" }, { "title": "Developer Platforms", "body": "PlatformSecrets DetectedGitHubghp_, gho_, ghu_, ghs_, ghr_ tokensGitLabglpat- tokensSlackxoxb-, xoxp-, xoxs- tokens, webhook URLsStripesk_live_, sk_test_, rk_live_ keysTwilioAccount SID, Auth TokenSendGridSG. prefixed API keys" }, { "title": "Databases & Infrastructure", "body": "TypePatternMongoDBmongodb:// or mongodb+srv:// with credentialsPostgreSQLpostgresql:// with embedded passwordMySQLmysql:// with embedded passwordRedisredis:// with passwordSSH-----BEGIN (RSA|EC|OPENSSH) PRIVATE KEY-----CertificatesPEM, PFX, P12 with embedded keys" }, { "title": "Generic Patterns", "body": "PatternDescriptionpassword=Hardcoded passwords in config/env filessecret=Hardcoded secretstoken=Hardcoded tokensBearerBearer tokens in codeBasic AuthBase64-encoded basic auth headersJWTeyJ prefixed JWT tokensHigh EntropyLong random strings that look like secrets" }, { "title": "Severity Levels", "body": "SeverityDescriptionExamples🔴 CriticalActive production credentialsAWS Secret Key, Private Keys, DB passwords🟠 HighService tokens with broad accessGitHub PAT, Slack Bot Token, Stripe Live Key🟡 MediumKeys that may be test/devTest API keys, example tokens🟢 LowPotential false positivesGeneric password= in comments, placeholder values" }, { "title": "Files Scanned", "body": "Scans these file types by default:\n\nSource code: .py, .js, .ts, .java, .go, .rb, .php, .cs, .rs\nConfig: .json, .yaml, .yml, .toml, .ini, .cfg, .conf\nEnvironment: .env, .env.local, .env.production\nShell: .sh, .bash, .zsh, .ps1\nDocs: .md, .txt\nOther: Dockerfile, docker-compose.yml, Makefile" }, { "title": "Ignored Paths", "body": "Automatically skips:\n\nnode_modules/, vendor/, venv/, .venv/\n.git/, .svn/\n__pycache__/, .pytest_cache/\nBinary files, images, compiled outputs\npackage-lock.json, yarn.lock" }, { "title": "Remediation Guidance", "body": "When secrets are found, the skill recommends:\n\nRotate the secret immediately — assume it's compromised\nRemove from code — use environment variables or a secrets manager instead\nAdd to .gitignore — prevent .env and credential files from being committed\nUse git-filter-repo — to remove secrets from git history\nEnable pre-commit hooks — to catch secrets before they're committed" }, { "title": "Requirements", "body": "Python 3.7+\nNo additional dependencies (uses Python standard library)" }, { "title": "Entry Point", "body": "CLI: secret_scanner.py" }, { "title": "Tags", "body": "#security #secrets #credentials #api-keys #tokens #passwords #scanner #audit #pre-commit #leak-detection #cloud #aws #azure #gcp #devops" } ], "body": "Secret Scanner\n\nSecurity skill that scans code, config files, and repos for accidentally leaked secrets and credentials.\n\nWhen to Use This Skill\n\nUse this skill when the user:\n\nAsks to \"check for leaked secrets\" or \"scan for API keys\"\nWants to audit a repo or folder before committing or publishing\nSays \"are there any hardcoded passwords in this code?\"\nAsks to \"find credentials\" or \"check for exposed tokens\"\nWants pre-commit or pre-publish security checks\nMentions concern about accidentally checking in secrets\nCapabilities\nDetect 40+ secret patterns including:\nAWS Access Keys, Secret Keys, Session Tokens\nAzure Storage Keys, Connection Strings, SAS Tokens\nGCP Service Account Keys, API Keys\nGitHub / GitLab / Bitbucket Personal Access Tokens\nOpenAI, Anthropic, Hugging Face API Keys\nSlack Bot Tokens, Webhooks\nStripe, Twilio, SendGrid Keys\nDatabase connection strings (MongoDB, PostgreSQL, MySQL, Redis)\nSSH Private Keys, PEM/PFX Certificates\nJWT Tokens, Bearer Tokens\nGeneric passwords in config files (password=, secret=, token=)\nScan individual files, directories, or entire repos recursively\nIgnore binary files, node_modules, .git, and other non-relevant paths\nOutput results as Markdown report or JSON\nProvide severity ratings (Critical, High, Medium, Low)\nSuggest remediation for each finding\nHow to Scan\nScan a directory\npython secret_scanner.py /path/to/project\n\nScan with JSON output\npython secret_scanner.py /path/to/project --json\n\nScan and save report\npython secret_scanner.py /path/to/project --output report.md\n\nWithin an Agent\n\"Scan this project for leaked secrets\"\n\"Check if there are any API keys in the codebase\"\n\"Run secret-scanner on the current directory\"\n\"Find hardcoded passwords in my config files\"\n\"Audit this repo before I push to GitHub\"\n\nSecret Patterns Detected\nCloud Provider Keys\nProvider\tSecrets Detected\nAWS\tAccess Key ID (AKIA...), Secret Access Key, Session Token\nAzure\tStorage Account Key, Connection String, SAS Token, Client Secret\nGCP\tAPI Key (AIza...), Service Account JSON, OAuth Client Secret\nAI / LLM Keys\nService\tPattern\nOpenAI\tsk- prefixed API keys\nAnthropic\tsk-ant- prefixed keys\nHugging Face\thf_ prefixed tokens\nCohere\tAPI keys in config\nDeveloper Platforms\nPlatform\tSecrets Detected\nGitHub\tghp_, gho_, ghu_, ghs_, ghr_ tokens\nGitLab\tglpat- tokens\nSlack\txoxb-, xoxp-, xoxs- tokens, webhook URLs\nStripe\tsk_live_, sk_test_, rk_live_ keys\nTwilio\tAccount SID, Auth Token\nSendGrid\tSG. prefixed API keys\nDatabases & Infrastructure\nType\tPattern\nMongoDB\tmongodb:// or mongodb+srv:// with credentials\nPostgreSQL\tpostgresql:// with embedded password\nMySQL\tmysql:// with embedded password\nRedis\tredis:// with password\nSSH\t-----BEGIN (RSA|EC|OPENSSH) PRIVATE KEY-----\nCertificates\tPEM, PFX, P12 with embedded keys\nGeneric Patterns\nPattern\tDescription\npassword=\tHardcoded passwords in config/env files\nsecret=\tHardcoded secrets\ntoken=\tHardcoded tokens\nBearer\tBearer tokens in code\nBasic Auth\tBase64-encoded basic auth headers\nJWT\teyJ prefixed JWT tokens\nHigh Entropy\tLong random strings that look like secrets\nSeverity Levels\nSeverity\tDescription\tExamples\n🔴 Critical\tActive production credentials\tAWS Secret Key, Private Keys, DB passwords\n🟠 High\tService tokens with broad access\tGitHub PAT, Slack Bot Token, Stripe Live Key\n🟡 Medium\tKeys that may be test/dev\tTest API keys, example tokens\n🟢 Low\tPotential false positives\tGeneric password= in comments, placeholder values\nFiles Scanned\n\nScans these file types by default:\n\nSource code: .py, .js, .ts, .java, .go, .rb, .php, .cs, .rs\nConfig: .json, .yaml, .yml, .toml, .ini, .cfg, .conf\nEnvironment: .env, .env.local, .env.production\nShell: .sh, .bash, .zsh, .ps1\nDocs: .md, .txt\nOther: Dockerfile, docker-compose.yml, Makefile\nIgnored Paths\n\nAutomatically skips:\n\nnode_modules/, vendor/, venv/, .venv/\n.git/, .svn/\n__pycache__/, .pytest_cache/\nBinary files, images, compiled outputs\npackage-lock.json, yarn.lock\nRemediation Guidance\n\nWhen secrets are found, the skill recommends:\n\nRotate the secret immediately — assume it's compromised\nRemove from code — use environment variables or a secrets manager instead\nAdd to .gitignore — prevent .env and credential files from being committed\nUse git-filter-repo — to remove secrets from git history\nEnable pre-commit hooks — to catch secrets before they're committed\nRequirements\nPython 3.7+\nNo additional dependencies (uses Python standard library)\nEntry Point\nCLI: secret_scanner.py\nTags\n\n#security #secrets #credentials #api-keys #tokens #passwords #scanner #audit #pre-commit #leak-detection #cloud #aws #azure #gcp #devops" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/nirwandogra/credential-scanner", "publisherUrl": "https://clawhub.ai/nirwandogra/credential-scanner", "owner": "nirwandogra", "version": "0.1.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/credential-scanner", "downloadUrl": "https://openagent3.xyz/downloads/credential-scanner", "agentUrl": "https://openagent3.xyz/skills/credential-scanner/agent", "manifestUrl": "https://openagent3.xyz/skills/credential-scanner/agent.json", "briefUrl": "https://openagent3.xyz/skills/credential-scanner/agent.md" } }