{ "schemaVersion": "1.0", "item": { "slug": "ggshield-scanner", "name": "ggshield Secret Scanner", "source": "tencent", "type": "skill", "category": "开发巄具", "sourceUrl": "https://clawhub.ai/amascia-gg/ggshield-scanner", "canonicalUrl": "https://clawhub.ai/amascia-gg/ggshield-scanner", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/ggshield-scanner", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=ggshield-scanner", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "README.md", "SKILL.md", "ggshield_skill.py", "pyproject.toml" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-05-07T17:22:31.273Z", "expiresAt": "2026-05-14T17:22:31.273Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-annual-report", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-annual-report", "contentDisposition": "attachment; filename=\"afrexai-annual-report-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/ggshield-scanner" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/ggshield-scanner", "agentPageUrl": "https://openagent3.xyz/skills/ggshield-scanner/agent", "manifestUrl": "https://openagent3.xyz/skills/ggshield-scanner/agent.json", "briefUrl": "https://openagent3.xyz/skills/ggshield-scanner/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Overview", "body": "ggshield is a CLI tool that detects hardcoded secrets in your codebase. This Moltbot skill brings secret scanning capabilities to your AI agent." }, { "title": "What Are \"Secrets\"?", "body": "Secrets are sensitive credentials that should NEVER be committed to version control:\n\nAWS Access Keys, GCP Service Accounts, Azure credentials\nAPI tokens (GitHub, Slack, Stripe, etc.)\nDatabase passwords and connection strings\nPrivate encryption keys and certificates\nOAuth tokens and refresh tokens\nPayPal/Stripe API keys\nEmail server credentials" }, { "title": "Why This Matters", "body": "A single leaked secret can:\n\nšŸ”“ Compromise your infrastructure\nšŸ’ø Incur massive cloud bills (attackers abuse your AWS account)\nšŸ“Š Expose customer data (GDPR/CCPA violation)\nšŸšØ Trigger security incidents and audits\n\nggshield catches these before they reach your repository." }, { "title": "Commands Available", "body": "1. scan-repo\n\nScans an entire git repository for secrets (including history).\n\n@clawd scan-repo /path/to/my/project\n\nOutput:\n\nšŸ” Scanning repository...\nāœ… Repository clean: 1,234 files scanned, 0 secrets found\n\nOutput on detection:\n\nāŒ Found 2 secrets:\n\n- AWS Access Key ID in config/prod.py:42\n- Slack API token in .env.backup:8\n\nUse 'ggshield secret ignore --last-found' to ignore, or remove them.\n\n2. scan-file\n\nScans a single file for secrets.\n\n@clawd scan-file /path/to/config.py\n\n3. scan-staged\n\nScans only staged git changes (useful pre-commit check).\n\n@clawd scan-staged\n\nThis runs on your git add-ed changes only (fast!).\n\n4. install-hooks\n\nInstalls ggshield as a git pre-commit hook.\n\n@clawd install-hooks\n\nAfter this, every commit is automatically scanned:\n\n$ git commit -m \"Add config\"\nšŸ” Running ggshield pre-commit hook...\nāŒ Secrets detected! Commit blocked.\nRemove the secrets and try again.\n\n5. scan-docker\n\nScans Docker images for secrets in their layers.\n\n@clawd scan-docker my-app:latest" }, { "title": "Prerequisites", "body": "ggshield CLI: Install via pip\npip install ggshield>=1.15.0\n\n\n\nGitGuardian API Key: Required for secret detection\n\nSign up: https://dashboard.gitguardian.com (free)\nGenerate API key in Settings\nSet environment variable:\n\nexport GITGUARDIAN_API_KEY=\"your-api-key-here\"\n\nPython 3.8+: Required by ggshield" }, { "title": "Install Skill", "body": "clawdhub install ggshield-scanner\n\nThe skill is now available in your Moltbot workspace." }, { "title": "In Your Moltbot Workspace", "body": "Start a new Moltbot session to pick up the skill:\n\nmoltbot start\n# or via messaging: @clawd list-skills" }, { "title": "Pattern 1: Before Pushing (Security Check)", "body": "Dev: @clawd scan-repo .\nMoltbot: āœ… Repository clean. All good to push!\n\nDev: git push" }, { "title": "Pattern 2: Audit Existing Repo", "body": "Dev: @clawd scan-repo ~/my-old-project\nMoltbot: āŒ Found 5 secrets in history!\n - AWS keys in config/secrets.json\n - Database password in docker-compose.yml\n - Slack webhook in .env.example\nMoltbot: Recommendation: Rotate these credentials immediately.\n Consider using git-filter-repo to remove from history." }, { "title": "Pattern 3: Pre-Commit Enforcement", "body": "Dev: @clawd install-hooks\nMoltbot: āœ… Installed pre-commit hook\n\nDev: echo \"SECRET_TOKEN=xyz\" > config.py\nDev: git add config.py\nDev: git commit -m \"Add config\"\nMoltbot: āŒ Pre-commit hook detected secret!\nDev: rm config.py && git reset\nDev: (add config to .gitignore and to environment variables instead)\nDev: git commit -m \"Add config\" # Now works!" }, { "title": "Pattern 4: Docker Image Security", "body": "Dev: @clawd scan-docker my-api:v1.2.3\nMoltbot: āœ… Docker image clean" }, { "title": "Environment Variables", "body": "These are required for the skill to work:\n\nVariableValueWhere to SetGITGUARDIAN_API_KEYYour API key from https://dashboard.gitguardian.com~/.bashrc or ~/.zshrcGITGUARDIAN_ENDPOINThttps://api.gitguardian.com (default, optional)Usually not needed" }, { "title": "Optional ggshield Config", "body": "Create ~/.gitguardian/.gitguardian.yml for persistent settings:\n\nverbose: false\noutput-format: json\nexit-code: true\n\nFor details: https://docs.gitguardian.com/ggshield-docs/" }, { "title": "What Data is Sent to GitGuardian?", "body": "āœ… ONLY metadata is sent:\n\nHash of the secret pattern (not the actual secret)\nFile path (relative path only)\nLine number\n\nāŒ NEVER sent:\n\nYour actual secrets or credentials\nFile contents\nPrivate keys\nCredentials\n\nReference: GitGuardian Enterprise customers can use on-premise scanning with no data sent anywhere." }, { "title": "How Secrets Are Detected", "body": "ggshield uses:\n\nEntropy-based detection: Identifies high-entropy strings (random tokens)\nPattern matching: Looks for known secret formats (AWS key prefixes, etc.)\nPublic CVEs: Cross-references disclosed secrets\nMachine learning: Trained on leaked secrets database" }, { "title": "\"ggshield: command not found\"", "body": "ggshield is not installed or not in your PATH.\n\nFix:\n\npip install ggshield\nwhich ggshield # Should return a path" }, { "title": "\"GITGUARDIAN_API_KEY not found\"", "body": "The environment variable is not set.\n\nFix:\n\nexport GITGUARDIAN_API_KEY=\"your-key\"\n# For persistence, add to ~/.bashrc or ~/.zshrc:\necho 'export GITGUARDIAN_API_KEY=\"your-key\"' >> ~/.bashrc\nsource ~/.bashrc" }, { "title": "\"401 Unauthorized\"", "body": "API key is invalid or expired.\n\nFix:\n\n# Test the API key\nggshield auth status\n\n# If invalid, regenerate at https://dashboard.gitguardian.com ā†’ API Tokens\n# Then: export GITGUARDIAN_API_KEY=\"new-key\"" }, { "title": "\"Slow on large repositories\"", "body": "Scanning a 50GB monorepo takes time. ggshield is doing a lot of work.\n\nWorkaround:\n\n# Scan only staged changes (faster):\n@clawd scan-staged\n\n# Or specify a subdirectory:\n@clawd scan-file ./app/config.py" }, { "title": "Ignoring False Positives", "body": "Sometimes ggshield flags a string that's NOT a secret (e.g., a test key):\n\n# Ignore the last secret found\nggshield secret ignore --last-found\n\n# Ignore all in a file\nggshield secret ignore --path ./config-example.py\n\nThis creates .gitguardian/config.json with ignore rules." }, { "title": "Integrating with CI/CD", "body": "You can add secret scanning to GitHub Actions / GitLab CI:\n\n# .github/workflows/secret-scan.yml\nname: Secret Scan\non: [push]\njobs:\n scan:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v3\n - run: pip install ggshield\n - run: ggshield secret scan repo .\n env:\n GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}" }, { "title": "Enterprise: On-Premise Scanning", "body": "If your company uses GitGuardian Enterprise, you can scan without sending data to the cloud:\n\nexport GITGUARDIAN_ENDPOINT=\"https://your-instance.gitguardian.com\"\nexport GITGUARDIAN_API_KEY=\"your-enterprise-key\"" }, { "title": "Related Resources", "body": "ggshield Documentation: https://docs.gitguardian.com/ggshield-docs/\nGitGuardian Dashboard: https://dashboard.gitguardian.com (view all secrets found)\nMoltbot Skills: https://docs.molt.bot/tools/clawdhub\nSecret Management Best Practices: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html" }, { "title": "Support", "body": "Bug reports: https://github.com/GitGuardian/ggshield-skill/issues\nQuestions: Open an issue or comment on ClawdHub\nggshield issues: https://github.com/GitGuardian/ggshield/issues" }, { "title": "License", "body": "MIT License - See LICENSE file" }, { "title": "Contributors", "body": "GitGuardian Team\n[Your contributions welcome!]\n\nVersion: 1.0.0\nLast updated: January 2026\nMaintainer: GitGuardian" } ], "body": "ggshield Secret Scanner\nOverview\n\nggshield is a CLI tool that detects hardcoded secrets in your codebase. This Moltbot skill brings secret scanning capabilities to your AI agent.\n\nWhat Are \"Secrets\"?\n\nSecrets are sensitive credentials that should NEVER be committed to version control:\n\nAWS Access Keys, GCP Service Accounts, Azure credentials\nAPI tokens (GitHub, Slack, Stripe, etc.)\nDatabase passwords and connection strings\nPrivate encryption keys and certificates\nOAuth tokens and refresh tokens\nPayPal/Stripe API keys\nEmail server credentials\nWhy This Matters\n\nA single leaked secret can:\n\nšŸ”“ Compromise your infrastructure\nšŸ’ø Incur massive cloud bills (attackers abuse your AWS account)\nšŸ“Š Expose customer data (GDPR/CCPA violation)\nšŸšØ Trigger security incidents and audits\n\nggshield catches these before they reach your repository.\n\nFeatures\nCommands Available\n1. scan-repo\n\nScans an entire git repository for secrets (including history).\n\n@clawd scan-repo /path/to/my/project\n\n\nOutput:\n\nšŸ” Scanning repository...\nāœ… Repository clean: 1,234 files scanned, 0 secrets found\n\n\nOutput on detection:\n\nāŒ Found 2 secrets:\n\n- AWS Access Key ID in config/prod.py:42\n- Slack API token in .env.backup:8\n\nUse 'ggshield secret ignore --last-found' to ignore, or remove them.\n\n2. scan-file\n\nScans a single file for secrets.\n\n@clawd scan-file /path/to/config.py\n\n3. scan-staged\n\nScans only staged git changes (useful pre-commit check).\n\n@clawd scan-staged\n\n\nThis runs on your git add-ed changes only (fast!).\n\n4. install-hooks\n\nInstalls ggshield as a git pre-commit hook.\n\n@clawd install-hooks\n\n\nAfter this, every commit is automatically scanned:\n\n$ git commit -m \"Add config\"\nšŸ” Running ggshield pre-commit hook...\nāŒ Secrets detected! Commit blocked.\nRemove the secrets and try again.\n\n5. scan-docker\n\nScans Docker images for secrets in their layers.\n\n@clawd scan-docker my-app:latest\n\nInstallation\nPrerequisites\n\nggshield CLI: Install via pip\n\npip install ggshield>=1.15.0\n\n\nGitGuardian API Key: Required for secret detection\n\nSign up: https://dashboard.gitguardian.com (free)\nGenerate API key in Settings\nSet environment variable:\nexport GITGUARDIAN_API_KEY=\"your-api-key-here\"\n\nPython 3.8+: Required by ggshield\nInstall Skill\nclawdhub install ggshield-scanner\n\n\nThe skill is now available in your Moltbot workspace.\n\nIn Your Moltbot Workspace\n\nStart a new Moltbot session to pick up the skill:\n\nmoltbot start\n# or via messaging: @clawd list-skills\n\nUsage Patterns\nPattern 1: Before Pushing (Security Check)\nDev: @clawd scan-repo .\nMoltbot: āœ… Repository clean. All good to push!\n\nDev: git push\n\nPattern 2: Audit Existing Repo\nDev: @clawd scan-repo ~/my-old-project\nMoltbot: āŒ Found 5 secrets in history!\n - AWS keys in config/secrets.json\n - Database password in docker-compose.yml\n - Slack webhook in .env.example\nMoltbot: Recommendation: Rotate these credentials immediately.\n Consider using git-filter-repo to remove from history.\n\nPattern 3: Pre-Commit Enforcement\nDev: @clawd install-hooks\nMoltbot: āœ… Installed pre-commit hook\n\nDev: echo \"SECRET_TOKEN=xyz\" > config.py\nDev: git add config.py\nDev: git commit -m \"Add config\"\nMoltbot: āŒ Pre-commit hook detected secret!\nDev: rm config.py && git reset\nDev: (add config to .gitignore and to environment variables instead)\nDev: git commit -m \"Add config\" # Now works!\n\nPattern 4: Docker Image Security\nDev: @clawd scan-docker my-api:v1.2.3\nMoltbot: āœ… Docker image clean\n\nConfiguration\nEnvironment Variables\n\nThese are required for the skill to work:\n\nVariable\tValue\tWhere to Set\nGITGUARDIAN_API_KEY\tYour API key from https://dashboard.gitguardian.com\t~/.bashrc or ~/.zshrc\nGITGUARDIAN_ENDPOINT\thttps://api.gitguardian.com (default, optional)\tUsually not needed\nOptional ggshield Config\n\nCreate ~/.gitguardian/.gitguardian.yml for persistent settings:\n\nverbose: false\noutput-format: json\nexit-code: true\n\n\nFor details: https://docs.gitguardian.com/ggshield-docs/\n\nPrivacy & Security\nWhat Data is Sent to GitGuardian?\n\nāœ… ONLY metadata is sent:\n\nHash of the secret pattern (not the actual secret)\nFile path (relative path only)\nLine number\n\nāŒ NEVER sent:\n\nYour actual secrets or credentials\nFile contents\nPrivate keys\nCredentials\n\nReference: GitGuardian Enterprise customers can use on-premise scanning with no data sent anywhere.\n\nHow Secrets Are Detected\n\nggshield uses:\n\nEntropy-based detection: Identifies high-entropy strings (random tokens)\nPattern matching: Looks for known secret formats (AWS key prefixes, etc.)\nPublic CVEs: Cross-references disclosed secrets\nMachine learning: Trained on leaked secrets database\nTroubleshooting\n\"ggshield: command not found\"\n\nggshield is not installed or not in your PATH.\n\nFix:\n\npip install ggshield\nwhich ggshield # Should return a path\n\n\"GITGUARDIAN_API_KEY not found\"\n\nThe environment variable is not set.\n\nFix:\n\nexport GITGUARDIAN_API_KEY=\"your-key\"\n# For persistence, add to ~/.bashrc or ~/.zshrc:\necho 'export GITGUARDIAN_API_KEY=\"your-key\"' >> ~/.bashrc\nsource ~/.bashrc\n\n\"401 Unauthorized\"\n\nAPI key is invalid or expired.\n\nFix:\n\n# Test the API key\nggshield auth status\n\n# If invalid, regenerate at https://dashboard.gitguardian.com ā†’ API Tokens\n# Then: export GITGUARDIAN_API_KEY=\"new-key\"\n\n\"Slow on large repositories\"\n\nScanning a 50GB monorepo takes time. ggshield is doing a lot of work.\n\nWorkaround:\n\n# Scan only staged changes (faster):\n@clawd scan-staged\n\n# Or specify a subdirectory:\n@clawd scan-file ./app/config.py\n\nAdvanced Topics\nIgnoring False Positives\n\nSometimes ggshield flags a string that's NOT a secret (e.g., a test key):\n\n# Ignore the last secret found\nggshield secret ignore --last-found\n\n# Ignore all in a file\nggshield secret ignore --path ./config-example.py\n\n\nThis creates .gitguardian/config.json with ignore rules.\n\nIntegrating with CI/CD\n\nYou can add secret scanning to GitHub Actions / GitLab CI:\n\n# .github/workflows/secret-scan.yml\nname: Secret Scan\non: [push]\njobs:\n scan:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v3\n - run: pip install ggshield\n - run: ggshield secret scan repo .\n env:\n GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}\n\nEnterprise: On-Premise Scanning\n\nIf your company uses GitGuardian Enterprise, you can scan without sending data to the cloud:\n\nexport GITGUARDIAN_ENDPOINT=\"https://your-instance.gitguardian.com\"\nexport GITGUARDIAN_API_KEY=\"your-enterprise-key\"\n\nRelated Resources\nggshield Documentation: https://docs.gitguardian.com/ggshield-docs/\nGitGuardian Dashboard: https://dashboard.gitguardian.com (view all secrets found)\nMoltbot Skills: https://docs.molt.bot/tools/clawdhub\nSecret Management Best Practices: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html\nSupport\nBug reports: https://github.com/GitGuardian/ggshield-skill/issues\nQuestions: Open an issue or comment on ClawdHub\nggshield issues: https://github.com/GitGuardian/ggshield/issues\nLicense\n\nMIT License - See LICENSE file\n\nContributors\nGitGuardian Team\n[Your contributions welcome!]\n\nVersion: 1.0.0 Last updated: January 2026 Maintainer: GitGuardian" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/amascia-gg/ggshield-scanner", "publisherUrl": "https://clawhub.ai/amascia-gg/ggshield-scanner", "owner": "amascia-gg", "version": "1.0.2", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/ggshield-scanner", "downloadUrl": "https://openagent3.xyz/downloads/ggshield-scanner", "agentUrl": "https://openagent3.xyz/skills/ggshield-scanner/agent", "manifestUrl": "https://openagent3.xyz/skills/ggshield-scanner/agent.json", "briefUrl": "https://openagent3.xyz/skills/ggshield-scanner/agent.md" } }