๐Ÿ”
12917 skills
โ† All skills
Tencent SkillHub ยท Developer Tools

Pastewatch MCP

Secret redaction MCP server for OpenClaw agents. Prevents API keys, DB credentials, SSH keys, emails, IPs, JWTs, and 29 other secret types from leaking to LL...

skill openclawclawhub Free
0 Downloads
0 Stars
0 Installs
0 Score
High Signal

Secret redaction MCP server for OpenClaw agents. Prevents API keys, DB credentials, SSH keys, emails, IPs, JWTs, and 29 other secret types from leaking to LL...

โฌ‡ 0 downloads โ˜… 0 stars Unverified but indexed

Install for OpenClaw

Quick setup
  1. Download the package from Yavira.
  2. Extract the archive and review SKILL.md first.
  3. Import or place the package into your OpenClaw setup.

Requirements

Target platform
OpenClaw
Install method
Manual import
Extraction
Extract archive
Prerequisites
OpenClaw
Primary doc
SKILL.md

Package facts

Download mode
Yavira redirect
Package format
ZIP package
Source platform
Tencent SkillHub
What's included
SKILL.md

Validation

  • Use the Yavira download entry.
  • Review SKILL.md after the package is downloaded.
  • Confirm the extracted package contains the expected setup assets.

Install with your agent

Agent handoff

Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.

  1. Download the package from Yavira.
  2. Extract it into a folder your agent can access.
  3. Paste one of the prompts below and point your agent at the extracted folder.
New install

I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.

Upgrade existing

I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.

Open Send to Agent page Open JSON manifest Open Markdown brief

Trust & source

Release facts

Source
Tencent SkillHub
Verification
Indexed source record
Version
1.1.3

Documentation

ClawHub primary doc Primary doc: SKILL.md 12 sections Open source page

Pastewatch MCP โ€” Secret Redaction

Prevents secrets from reaching your LLM provider. The agent works with placeholders, secrets stay local. Source: https://github.com/ppiankov/pastewatch

Install

# macOS brew install ppiankov/tap/pastewatch # Linux (binary + checksum) curl -fsSL https://github.com/ppiankov/pastewatch/releases/latest/download/pastewatch-cli-linux-amd64 \ -o /usr/local/bin/pastewatch-cli curl -fsSL https://github.com/ppiankov/pastewatch/releases/latest/download/pastewatch-cli-linux-amd64.sha256 \ -o /tmp/pastewatch-cli.sha256 cd /usr/local/bin && sha256sum -c /tmp/pastewatch-cli.sha256 chmod +x /usr/local/bin/pastewatch-cli Verify: pastewatch-cli version (expect 0.18.0+)

MCP Server Setup

mcporter config add pastewatch --command "pastewatch-cli mcp --audit-log /var/log/pastewatch-audit.log" mcporter list pastewatch --schema # 6 tools

Agent Integration (one-command setup)

pastewatch-cli setup claude-code # hooks + MCP config pastewatch-cli setup cline # MCP + hook instructions pastewatch-cli setup cursor # MCP + advisory --severity aligns hook blocking and MCP redaction thresholds. --project for project-level config.

MCP Tools

ToolPurposepastewatch_read_fileRead file with secrets replaced by __PW{TYPE_N}__ placeholderspastewatch_write_fileWrite file, resolving placeholders back to real values locallypastewatch_check_outputVerify text contains no raw secrets before returningpastewatch_scanScan text for sensitive datapastewatch_scan_fileScan a filepastewatch_scan_dirScan directory recursively

Guard โ€” Block Secret-Leaking Commands

Complements chainwatch: chainwatch blocks destructive commands, guard blocks commands that would leak secrets. pastewatch-cli guard "cat .env" # BLOCKED if .env has secrets pastewatch-cli guard "psql -f migrate.sql" # scans SQL file pastewatch-cli guard "docker-compose up" # scans referenced env_files Guard understands: Shell builtins: cat, echo, env, printenv, source, curl, wget DB CLIs: psql, mysql, mongosh, redis-cli, sqlite3 (connection strings, -f flags, passwords) Infra tools: ansible, terraform, docker, kubectl, helm (env-files, var-files) Scripting: python, ruby, node, perl, php (script file args) File transfer: scp, rsync, ssh, ssh-keygen Pipe chains (|) and command chaining (&&, ||, ;) โ€” each segment scanned Subshell extraction: $(cat .env) and backtick expressions Redirect operators: >, >>, <, 2> โ€” scans source files

Canary Tokens

Generate format-valid but non-functional tokens to detect leaks: pastewatch-cli canary generate --prefix myagent # creates canaries for 7 secret types pastewatch-cli canary verify # confirms detection rules catch them pastewatch-cli canary check --log /var/log/app.log # search logs for leaked canaries

Encrypted Vault

Store secrets encrypted locally instead of plaintext .env: pastewatch-cli --init-key # generate 256-bit key (.pastewatch-key, mode 0600) pastewatch-cli fix --encrypt # secrets โ†’ ChaCha20-Poly1305 vault pastewatch-cli vault list # show entries without decrypting pastewatch-cli vault decrypt # export to .env for deployment pastewatch-cli vault export # print export VAR=VALUE for shell pastewatch-cli vault rotate-key # re-encrypt with new key

Git History Scanning

pastewatch-cli scan --git-log # scan full history pastewatch-cli scan --git-log --range HEAD~50..HEAD # last 50 commits pastewatch-cli scan --git-log --since 2025-01-01 # since date Deduplicates by fingerprint โ€” same secret across commits reported once at introduction point.

Session Reports

pastewatch-cli report --audit-log /var/log/pastewatch-audit.log pastewatch-cli report --format json --since 2026-03-01T00:00:00Z

Detection Scope

29+ types: AWS, Anthropic/OpenAI/HuggingFace/Groq keys, DB connections, SSH keys, JWTs, emails, IPs, credit cards (Luhn), Slack/Discord webhooks, Azure, GCP service accounts, npm/PyPI/RubyGems/GitLab tokens, Telegram bot tokens, and more. Deterministic regex. No ML. No API calls. Microseconds per scan.

Limitations

Protects secrets from reaching LLM provider โ€” does NOT protect prompt content or code structure For full privacy, use a local model Pastewatch MCP v1.1 Author: ppiankov Copyright ยฉ 2026 ppiankov Canonical source: https://github.com/ppiankov/pastewatch License: MIT If this document appears elsewhere, the repository above is the authoritative version.

Category context

Code helpers, APIs, CLIs, browser automation, testing, and developer operations.

Source: Tencent SkillHub

Largest current source with strong distribution and engagement signals.

Package contents

Included in package
1 Docs
  • SKILL.md Primary doc

Related skills

readyClaw Free
Featured

API Architect

Design contracts before code

Designs contracts before implementation and treats REST, GraphQL, and gRPC as tools rather than dogma.

Developer Tools agent claude
souls.zip $149
Featured

The Dev Team

A four-agent engineering squad for shipping products

Four-agent engineering team spanning CTO, frontend, backend, and design roles, built to mirror the stack behind souls.zip.

Developer Tools team openclaw
readyClaw Free
Featured

Web Platform Engineer

Build for the open web with strong fundamentals

A web engineering agent grounded in HTML semantics, CSS layout systems, and browser-native resilience.

Developer Tools agent claude