# Send Credential Scanner to your agent
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
## Fast path
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
## Suggested prompts
### New install

```text
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete.
```
### Upgrade existing

```text
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run.
```
## Machine-readable fields
```json
{
  "schemaVersion": "1.0",
  "item": {
    "slug": "credential-scanner",
    "name": "Credential Scanner",
    "source": "tencent",
    "type": "skill",
    "category": "开发工具",
    "sourceUrl": "https://clawhub.ai/nirwandogra/credential-scanner",
    "canonicalUrl": "https://clawhub.ai/nirwandogra/credential-scanner",
    "targetPlatform": "OpenClaw"
  },
  "install": {
    "downloadUrl": "/downloads/credential-scanner",
    "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=credential-scanner",
    "sourcePlatform": "tencent",
    "targetPlatform": "OpenClaw",
    "packageFormat": "ZIP package",
    "primaryDoc": "SKILL.md",
    "includedAssets": [
      "README.md",
      "secret_scanner.py",
      "SKILL.md"
    ],
    "downloadMode": "redirect",
    "sourceHealth": {
      "source": "tencent",
      "slug": "credential-scanner",
      "status": "healthy",
      "reason": "direct_download_ok",
      "recommendedAction": "download",
      "checkedAt": "2026-05-02T04:38:00.986Z",
      "expiresAt": "2026-05-09T04:38:00.986Z",
      "httpStatus": 200,
      "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=credential-scanner",
      "contentType": "application/zip",
      "probeMethod": "head",
      "details": {
        "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=credential-scanner",
        "contentDisposition": "attachment; filename=\"credential-scanner-0.1.0.zip\"",
        "redirectLocation": null,
        "bodySnippet": null,
        "slug": "credential-scanner"
      },
      "scope": "item",
      "summary": "Item download looks usable.",
      "detail": "Yavira can redirect you to the upstream package for this item.",
      "primaryActionLabel": "Download for OpenClaw",
      "primaryActionHref": "/downloads/credential-scanner"
    },
    "validation": {
      "installChecklist": [
        "Use the Yavira download entry.",
        "Review SKILL.md after the package is downloaded.",
        "Confirm the extracted package contains the expected setup assets."
      ],
      "postInstallChecks": [
        "Confirm the extracted package includes the expected docs or setup files.",
        "Validate the skill or prompts are available in your target agent workspace.",
        "Capture any manual follow-up steps the agent could not complete."
      ]
    }
  },
  "links": {
    "detailUrl": "https://openagent3.xyz/skills/credential-scanner",
    "downloadUrl": "https://openagent3.xyz/downloads/credential-scanner",
    "agentUrl": "https://openagent3.xyz/skills/credential-scanner/agent",
    "manifestUrl": "https://openagent3.xyz/skills/credential-scanner/agent.json",
    "briefUrl": "https://openagent3.xyz/skills/credential-scanner/agent.md"
  }
}
```
## Documentation

### Secret Scanner

Security skill that scans code, config files, and repos for accidentally leaked secrets and credentials.

### When to Use This Skill

Use this skill when the user:

Asks to "check for leaked secrets" or "scan for API keys"
Wants to audit a repo or folder before committing or publishing
Says "are there any hardcoded passwords in this code?"
Asks to "find credentials" or "check for exposed tokens"
Wants pre-commit or pre-publish security checks
Mentions concern about accidentally checking in secrets

### Capabilities

Detect 40+ secret patterns including:

AWS Access Keys, Secret Keys, Session Tokens
Azure Storage Keys, Connection Strings, SAS Tokens
GCP Service Account Keys, API Keys
GitHub / GitLab / Bitbucket Personal Access Tokens
OpenAI, Anthropic, Hugging Face API Keys
Slack Bot Tokens, Webhooks
Stripe, Twilio, SendGrid Keys
Database connection strings (MongoDB, PostgreSQL, MySQL, Redis)
SSH Private Keys, PEM/PFX Certificates
JWT Tokens, Bearer Tokens
Generic passwords in config files (password=, secret=, token=)


Scan individual files, directories, or entire repos recursively
Ignore binary files, node_modules, .git, and other non-relevant paths
Output results as Markdown report or JSON
Provide severity ratings (Critical, High, Medium, Low)
Suggest remediation for each finding

### Scan a directory

python secret_scanner.py /path/to/project

### Scan with JSON output

python secret_scanner.py /path/to/project --json

### Scan and save report

python secret_scanner.py /path/to/project --output report.md

### Within an Agent

"Scan this project for leaked secrets"
"Check if there are any API keys in the codebase"
"Run secret-scanner on the current directory"
"Find hardcoded passwords in my config files"
"Audit this repo before I push to GitHub"

### Cloud Provider Keys

ProviderSecrets DetectedAWSAccess Key ID (AKIA...), Secret Access Key, Session TokenAzureStorage Account Key, Connection String, SAS Token, Client SecretGCPAPI Key (AIza...), Service Account JSON, OAuth Client Secret

### AI / LLM Keys

ServicePatternOpenAIsk- prefixed API keysAnthropicsk-ant- prefixed keysHugging Facehf_ prefixed tokensCohereAPI keys in config

### Developer Platforms

PlatformSecrets DetectedGitHubghp_, gho_, ghu_, ghs_, ghr_ tokensGitLabglpat- tokensSlackxoxb-, xoxp-, xoxs- tokens, webhook URLsStripesk_live_, sk_test_, rk_live_ keysTwilioAccount SID, Auth TokenSendGridSG. prefixed API keys

### Databases & Infrastructure

TypePatternMongoDBmongodb:// or mongodb+srv:// with credentialsPostgreSQLpostgresql:// with embedded passwordMySQLmysql:// with embedded passwordRedisredis:// with passwordSSH-----BEGIN (RSA|EC|OPENSSH) PRIVATE KEY-----CertificatesPEM, PFX, P12 with embedded keys

### Generic Patterns

PatternDescriptionpassword=Hardcoded passwords in config/env filessecret=Hardcoded secretstoken=Hardcoded tokensBearerBearer tokens in codeBasic AuthBase64-encoded basic auth headersJWTeyJ prefixed JWT tokensHigh EntropyLong random strings that look like secrets

### Severity Levels

SeverityDescriptionExamples🔴 CriticalActive production credentialsAWS Secret Key, Private Keys, DB passwords🟠 HighService tokens with broad accessGitHub PAT, Slack Bot Token, Stripe Live Key🟡 MediumKeys that may be test/devTest API keys, example tokens🟢 LowPotential false positivesGeneric password= in comments, placeholder values

### Files Scanned

Scans these file types by default:

Source code: .py, .js, .ts, .java, .go, .rb, .php, .cs, .rs
Config: .json, .yaml, .yml, .toml, .ini, .cfg, .conf
Environment: .env, .env.local, .env.production
Shell: .sh, .bash, .zsh, .ps1
Docs: .md, .txt
Other: Dockerfile, docker-compose.yml, Makefile

### Ignored Paths

Automatically skips:

node_modules/, vendor/, venv/, .venv/
.git/, .svn/
__pycache__/, .pytest_cache/
Binary files, images, compiled outputs
package-lock.json, yarn.lock

### Remediation Guidance

When secrets are found, the skill recommends:

Rotate the secret immediately — assume it's compromised
Remove from code — use environment variables or a secrets manager instead
Add to .gitignore — prevent .env and credential files from being committed
Use git-filter-repo — to remove secrets from git history
Enable pre-commit hooks — to catch secrets before they're committed

### Requirements

Python 3.7+
No additional dependencies (uses Python standard library)

### Entry Point

CLI: secret_scanner.py

### Tags

#security #secrets #credentials #api-keys #tokens #passwords #scanner #audit #pre-commit #leak-detection #cloud #aws #azure #gcp #devops
## Trust
- Source: tencent
- Verification: Indexed source record
- Publisher: nirwandogra
- Version: 0.1.0
## Source health
- Status: healthy
- Item download looks usable.
- Yavira can redirect you to the upstream package for this item.
- Health scope: item
- Reason: direct_download_ok
- Checked at: 2026-05-02T04:38:00.986Z
- Expires at: 2026-05-09T04:38:00.986Z
- Recommended action: Download for OpenClaw
## Links
- [Detail page](https://openagent3.xyz/skills/credential-scanner)
- [Send to Agent page](https://openagent3.xyz/skills/credential-scanner/agent)
- [JSON manifest](https://openagent3.xyz/skills/credential-scanner/agent.json)
- [Markdown brief](https://openagent3.xyz/skills/credential-scanner/agent.md)
- [Download page](https://openagent3.xyz/downloads/credential-scanner)