Tencent SkillHub · Developer Tools

ggshield Secret Scanner

Detect 500+ types of hardcoded secrets (API keys, credentials, tokens) before they leak into git. Wraps GitGuardian's ggshield CLI.

skill openclawclawhub Free

0 Downloads

0 Stars

0 Installs

0 Score

High Signal

Detect 500+ types of hardcoded secrets (API keys, credentials, tokens) before they leak into git. Wraps GitGuardian's ggshield CLI.

⬇ 0 downloads ★ 0 stars Unverified but indexed

Install for OpenClaw

Quick setup

Download the package from Yavira.
Extract the archive and review SKILL.md first.
Import or place the package into your OpenClaw setup.

Requirements

Target platform: OpenClaw
Install method: Manual import
Extraction: Extract archive
Prerequisites: OpenClaw
Primary doc: SKILL.md

Package facts

Download mode: Yavira redirect
Package format: ZIP package
Source platform: Tencent SkillHub
What's included: README.md, SKILL.md, ggshield_skill.py, pyproject.toml

Validation

Use the Yavira download entry.
Review SKILL.md after the package is downloaded.
Confirm the extracted package contains the expected setup assets.

Install with your agent

Agent handoff

Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.

Download the package from Yavira.
Extract it into a folder your agent can access.
Paste one of the prompts below and point your agent at the extracted folder.

New install

I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete.

Upgrade existing

I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run.

Open Send to Agent page Open JSON manifest Open Markdown brief

Trust & source

Release facts

Source: Tencent SkillHub
Verification: Indexed source record
Version: 1.0.2

Provenance

Publisher: amascia-gg
Source page: View original listing
Canonical URL: Open canonical page

Documentation

ClawHub primary doc Primary doc: SKILL.md 26 sections Open source page

Overview

ggshield is a CLI tool that detects hardcoded secrets in your codebase. This Moltbot skill brings secret scanning capabilities to your AI agent.

What Are "Secrets"?

Secrets are sensitive credentials that should NEVER be committed to version control: AWS Access Keys, GCP Service Accounts, Azure credentials API tokens (GitHub, Slack, Stripe, etc.) Database passwords and connection strings Private encryption keys and certificates OAuth tokens and refresh tokens PayPal/Stripe API keys Email server credentials

Why This Matters

A single leaked secret can: 🔓 Compromise your infrastructure 💸 Incur massive cloud bills (attackers abuse your AWS account) 📊 Expose customer data (GDPR/CCPA violation) 🚨 Trigger security incidents and audits ggshield catches these before they reach your repository.

Commands Available

1. scan-repo
Scans an entire git repository for secrets (including history).
@clawd scan-repo /path/to/my/project
Output:
🔍 Scanning repository...
✅ Repository clean: 1,234 files scanned, 0 secrets found
Output on detection:
❌ Found 2 secrets:
AWS Access Key ID in config/prod.py:42
Slack API token in .env.backup:8
Use 'ggshield secret ignore --last-found' to ignore, or remove them.
2. scan-file
Scans a single file for secrets.
@clawd scan-file /path/to/config.py
3. scan-staged
Scans only staged git changes (useful pre-commit check).
@clawd scan-staged
This runs on your git add-ed changes only (fast!).
4. install-hooks
Installs ggshield as a git pre-commit hook.
@clawd install-hooks
After this, every commit is automatically scanned:
$ git commit -m "Add config"
🔍 Running ggshield pre-commit hook...
❌ Secrets detected! Commit blocked.
Remove the secrets and try again.
5. scan-docker
Scans Docker images for secrets in their layers.
@clawd scan-docker my-app:latest

Prerequisites

ggshield CLI: Install via pip pip install ggshield>=1.15.0 GitGuardian API Key: Required for secret detection Sign up: https://dashboard.gitguardian.com (free) Generate API key in Settings Set environment variable: export GITGUARDIAN_API_KEY="your-api-key-here" Python 3.8+: Required by ggshield

Install Skill

clawdhub install ggshield-scanner The skill is now available in your Moltbot workspace.

In Your Moltbot Workspace

Start a new Moltbot session to pick up the skill: moltbot start # or via messaging: @clawd list-skills

Pattern 1: Before Pushing (Security Check)

Dev: @clawd scan-repo . Moltbot: ✅ Repository clean. All good to push! Dev: git push

Pattern 2: Audit Existing Repo

Dev: @clawd scan-repo ~/my-old-project Moltbot: ❌ Found 5 secrets in history! - AWS keys in config/secrets.json - Database password in docker-compose.yml - Slack webhook in .env.example Moltbot: Recommendation: Rotate these credentials immediately. Consider using git-filter-repo to remove from history.

Pattern 3: Pre-Commit Enforcement

Dev: @clawd install-hooks Moltbot: ✅ Installed pre-commit hook Dev: echo "SECRET_TOKEN=xyz" > config.py Dev: git add config.py Dev: git commit -m "Add config" Moltbot: ❌ Pre-commit hook detected secret! Dev: rm config.py && git reset Dev: (add config to .gitignore and to environment variables instead) Dev: git commit -m "Add config" # Now works!

Pattern 4: Docker Image Security

Dev: @clawd scan-docker my-api:v1.2.3 Moltbot: ✅ Docker image clean

Environment Variables

These are required for the skill to work: VariableValueWhere to SetGITGUARDIAN_API_KEYYour API key from https://dashboard.gitguardian.com~/.bashrc or ~/.zshrcGITGUARDIAN_ENDPOINThttps://api.gitguardian.com (default, optional)Usually not needed

Optional ggshield Config

Create ~/.gitguardian/.gitguardian.yml for persistent settings: verbose: false output-format: json exit-code: true For details: https://docs.gitguardian.com/ggshield-docs/

What Data is Sent to GitGuardian?

✅ ONLY metadata is sent: Hash of the secret pattern (not the actual secret) File path (relative path only) Line number ❌ NEVER sent: Your actual secrets or credentials File contents Private keys Credentials Reference: GitGuardian Enterprise customers can use on-premise scanning with no data sent anywhere.

How Secrets Are Detected

ggshield uses: Entropy-based detection: Identifies high-entropy strings (random tokens) Pattern matching: Looks for known secret formats (AWS key prefixes, etc.) Public CVEs: Cross-references disclosed secrets Machine learning: Trained on leaked secrets database

"ggshield: command not found"

ggshield is not installed or not in your PATH. Fix: pip install ggshield which ggshield # Should return a path

"GITGUARDIAN_API_KEY not found"

The environment variable is not set. Fix: export GITGUARDIAN_API_KEY="your-key" # For persistence, add to ~/.bashrc or ~/.zshrc: echo 'export GITGUARDIAN_API_KEY="your-key"' >> ~/.bashrc source ~/.bashrc

"401 Unauthorized"

API key is invalid or expired. Fix: # Test the API key ggshield auth status # If invalid, regenerate at https://dashboard.gitguardian.com → API Tokens # Then: export GITGUARDIAN_API_KEY="new-key"

"Slow on large repositories"

Scanning a 50GB monorepo takes time. ggshield is doing a lot of work. Workaround: # Scan only staged changes (faster): @clawd scan-staged # Or specify a subdirectory: @clawd scan-file ./app/config.py

Ignoring False Positives

Sometimes ggshield flags a string that's NOT a secret (e.g., a test key): # Ignore the last secret found ggshield secret ignore --last-found # Ignore all in a file ggshield secret ignore --path ./config-example.py This creates .gitguardian/config.json with ignore rules.

Integrating with CI/CD

You can add secret scanning to GitHub Actions / GitLab CI: # .github/workflows/secret-scan.yml name: Secret Scan on: [push] jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - run: pip install ggshield - run: ggshield secret scan repo . env: GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}

Enterprise: On-Premise Scanning

If your company uses GitGuardian Enterprise, you can scan without sending data to the cloud: export GITGUARDIAN_ENDPOINT="https://your-instance.gitguardian.com" export GITGUARDIAN_API_KEY="your-enterprise-key"

Related Resources

ggshield Documentation: https://docs.gitguardian.com/ggshield-docs/ GitGuardian Dashboard: https://dashboard.gitguardian.com (view all secrets found) Moltbot Skills: https://docs.molt.bot/tools/clawdhub Secret Management Best Practices: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html

Support

Bug reports: https://github.com/GitGuardian/ggshield-skill/issues Questions: Open an issue or comment on ClawdHub ggshield issues: https://github.com/GitGuardian/ggshield/issues

License

MIT License - See LICENSE file

Contributors

GitGuardian Team [Your contributions welcome!] Version: 1.0.0 Last updated: January 2026 Maintainer: GitGuardian

Category context

Code helpers, APIs, CLIs, browser automation, testing, and developer operations.

Source: Tencent SkillHub

Largest current source with strong distribution and engagement signals.

Package contents

Included in package

2 Docs1 Scripts1 Files

SKILL.md Primary doc
README.md Docs
ggshield_skill.py Scripts
pyproject.toml Files