{ "schemaVersion": "1.0", "item": { "slug": "pastewatch-mcp", "name": "Pastewatch MCP", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/ppiankov/pastewatch-mcp", "canonicalUrl": "https://clawhub.ai/ppiankov/pastewatch-mcp", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/pastewatch-mcp", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=pastewatch-mcp", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T16:55:25.780Z", "expiresAt": "2026-05-07T16:55:25.780Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentDisposition": "attachment; filename=\"network-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/pastewatch-mcp" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/pastewatch-mcp", "agentPageUrl": "https://openagent3.xyz/skills/pastewatch-mcp/agent", "manifestUrl": "https://openagent3.xyz/skills/pastewatch-mcp/agent.json", "briefUrl": "https://openagent3.xyz/skills/pastewatch-mcp/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Pastewatch MCP — Secret Redaction", "body": "Prevents secrets from reaching your LLM provider. The agent works with placeholders, secrets stay local.\n\nSource: https://github.com/ppiankov/pastewatch" }, { "title": "Install", "body": "# macOS\nbrew install ppiankov/tap/pastewatch\n\n# Linux (binary + checksum)\ncurl -fsSL https://github.com/ppiankov/pastewatch/releases/latest/download/pastewatch-cli-linux-amd64 \\\n -o /usr/local/bin/pastewatch-cli\ncurl -fsSL https://github.com/ppiankov/pastewatch/releases/latest/download/pastewatch-cli-linux-amd64.sha256 \\\n -o /tmp/pastewatch-cli.sha256\ncd /usr/local/bin && sha256sum -c /tmp/pastewatch-cli.sha256\nchmod +x /usr/local/bin/pastewatch-cli\n\nVerify: pastewatch-cli version (expect 0.18.0+)" }, { "title": "MCP Server Setup", "body": "mcporter config add pastewatch --command \"pastewatch-cli mcp --audit-log /var/log/pastewatch-audit.log\"\nmcporter list pastewatch --schema # 6 tools" }, { "title": "Agent Integration (one-command setup)", "body": "pastewatch-cli setup claude-code # hooks + MCP config\npastewatch-cli setup cline # MCP + hook instructions\npastewatch-cli setup cursor # MCP + advisory\n\n--severity aligns hook blocking and MCP redaction thresholds. --project for project-level config." }, { "title": "MCP Tools", "body": "ToolPurposepastewatch_read_fileRead file with secrets replaced by __PW{TYPE_N}__ placeholderspastewatch_write_fileWrite file, resolving placeholders back to real values locallypastewatch_check_outputVerify text contains no raw secrets before returningpastewatch_scanScan text for sensitive datapastewatch_scan_fileScan a filepastewatch_scan_dirScan directory recursively" }, { "title": "Guard — Block Secret-Leaking Commands", "body": "Complements chainwatch: chainwatch blocks destructive commands, guard blocks commands that would leak secrets.\n\npastewatch-cli guard \"cat .env\" # BLOCKED if .env has secrets\npastewatch-cli guard \"psql -f migrate.sql\" # scans SQL file\npastewatch-cli guard \"docker-compose up\" # scans referenced env_files\n\nGuard understands:\n\nShell builtins: cat, echo, env, printenv, source, curl, wget\nDB CLIs: psql, mysql, mongosh, redis-cli, sqlite3 (connection strings, -f flags, passwords)\nInfra tools: ansible, terraform, docker, kubectl, helm (env-files, var-files)\nScripting: python, ruby, node, perl, php (script file args)\nFile transfer: scp, rsync, ssh, ssh-keygen\nPipe chains (|) and command chaining (&&, ||, ;) — each segment scanned\nSubshell extraction: $(cat .env) and backtick expressions\nRedirect operators: >, >>, <, 2> — scans source files" }, { "title": "Canary Tokens", "body": "Generate format-valid but non-functional tokens to detect leaks:\n\npastewatch-cli canary generate --prefix myagent # creates canaries for 7 secret types\npastewatch-cli canary verify # confirms detection rules catch them\npastewatch-cli canary check --log /var/log/app.log # search logs for leaked canaries" }, { "title": "Encrypted Vault", "body": "Store secrets encrypted locally instead of plaintext .env:\n\npastewatch-cli --init-key # generate 256-bit key (.pastewatch-key, mode 0600)\npastewatch-cli fix --encrypt # secrets → ChaCha20-Poly1305 vault\npastewatch-cli vault list # show entries without decrypting\npastewatch-cli vault decrypt # export to .env for deployment\npastewatch-cli vault export # print export VAR=VALUE for shell\npastewatch-cli vault rotate-key # re-encrypt with new key" }, { "title": "Git History Scanning", "body": "pastewatch-cli scan --git-log # scan full history\npastewatch-cli scan --git-log --range HEAD~50..HEAD # last 50 commits\npastewatch-cli scan --git-log --since 2025-01-01 # since date\n\nDeduplicates by fingerprint — same secret across commits reported once at introduction point." }, { "title": "Session Reports", "body": "pastewatch-cli report --audit-log /var/log/pastewatch-audit.log\npastewatch-cli report --format json --since 2026-03-01T00:00:00Z" }, { "title": "Detection Scope", "body": "29+ types: AWS, Anthropic/OpenAI/HuggingFace/Groq keys, DB connections, SSH keys, JWTs, emails, IPs, credit cards (Luhn), Slack/Discord webhooks, Azure, GCP service accounts, npm/PyPI/RubyGems/GitLab tokens, Telegram bot tokens, and more.\n\nDeterministic regex. No ML. No API calls. Microseconds per scan." }, { "title": "Limitations", "body": "Protects secrets from reaching LLM provider — does NOT protect prompt content or code structure\nFor full privacy, use a local model\n\nPastewatch MCP v1.1\nAuthor: ppiankov\nCopyright © 2026 ppiankov\nCanonical source: https://github.com/ppiankov/pastewatch\nLicense: MIT\n\nIf this document appears elsewhere, the repository above is the authoritative version." } ], "body": "Pastewatch MCP — Secret Redaction\n\nPrevents secrets from reaching your LLM provider. The agent works with placeholders, secrets stay local.\n\nSource: https://github.com/ppiankov/pastewatch\n\nInstall\n# macOS\nbrew install ppiankov/tap/pastewatch\n\n# Linux (binary + checksum)\ncurl -fsSL https://github.com/ppiankov/pastewatch/releases/latest/download/pastewatch-cli-linux-amd64 \\\n -o /usr/local/bin/pastewatch-cli\ncurl -fsSL https://github.com/ppiankov/pastewatch/releases/latest/download/pastewatch-cli-linux-amd64.sha256 \\\n -o /tmp/pastewatch-cli.sha256\ncd /usr/local/bin && sha256sum -c /tmp/pastewatch-cli.sha256\nchmod +x /usr/local/bin/pastewatch-cli\n\n\nVerify: pastewatch-cli version (expect 0.18.0+)\n\nMCP Server Setup\nmcporter config add pastewatch --command \"pastewatch-cli mcp --audit-log /var/log/pastewatch-audit.log\"\nmcporter list pastewatch --schema # 6 tools\n\nAgent Integration (one-command setup)\npastewatch-cli setup claude-code # hooks + MCP config\npastewatch-cli setup cline # MCP + hook instructions\npastewatch-cli setup cursor # MCP + advisory\n\n\n--severity aligns hook blocking and MCP redaction thresholds. --project for project-level config.\n\nMCP Tools\nTool\tPurpose\npastewatch_read_file\tRead file with secrets replaced by __PW{TYPE_N}__ placeholders\npastewatch_write_file\tWrite file, resolving placeholders back to real values locally\npastewatch_check_output\tVerify text contains no raw secrets before returning\npastewatch_scan\tScan text for sensitive data\npastewatch_scan_file\tScan a file\npastewatch_scan_dir\tScan directory recursively\nGuard — Block Secret-Leaking Commands\n\nComplements chainwatch: chainwatch blocks destructive commands, guard blocks commands that would leak secrets.\n\npastewatch-cli guard \"cat .env\" # BLOCKED if .env has secrets\npastewatch-cli guard \"psql -f migrate.sql\" # scans SQL file\npastewatch-cli guard \"docker-compose up\" # scans referenced env_files\n\n\nGuard understands:\n\nShell builtins: cat, echo, env, printenv, source, curl, wget\nDB CLIs: psql, mysql, mongosh, redis-cli, sqlite3 (connection strings, -f flags, passwords)\nInfra tools: ansible, terraform, docker, kubectl, helm (env-files, var-files)\nScripting: python, ruby, node, perl, php (script file args)\nFile transfer: scp, rsync, ssh, ssh-keygen\nPipe chains (|) and command chaining (&&, ||, ;) — each segment scanned\nSubshell extraction: $(cat .env) and backtick expressions\nRedirect operators: >, >>, <, 2> — scans source files\nCanary Tokens\n\nGenerate format-valid but non-functional tokens to detect leaks:\n\npastewatch-cli canary generate --prefix myagent # creates canaries for 7 secret types\npastewatch-cli canary verify # confirms detection rules catch them\npastewatch-cli canary check --log /var/log/app.log # search logs for leaked canaries\n\nEncrypted Vault\n\nStore secrets encrypted locally instead of plaintext .env:\n\npastewatch-cli --init-key # generate 256-bit key (.pastewatch-key, mode 0600)\npastewatch-cli fix --encrypt # secrets → ChaCha20-Poly1305 vault\npastewatch-cli vault list # show entries without decrypting\npastewatch-cli vault decrypt # export to .env for deployment\npastewatch-cli vault export # print export VAR=VALUE for shell\npastewatch-cli vault rotate-key # re-encrypt with new key\n\nGit History Scanning\npastewatch-cli scan --git-log # scan full history\npastewatch-cli scan --git-log --range HEAD~50..HEAD # last 50 commits\npastewatch-cli scan --git-log --since 2025-01-01 # since date\n\n\nDeduplicates by fingerprint — same secret across commits reported once at introduction point.\n\nSession Reports\npastewatch-cli report --audit-log /var/log/pastewatch-audit.log\npastewatch-cli report --format json --since 2026-03-01T00:00:00Z\n\nDetection Scope\n\n29+ types: AWS, Anthropic/OpenAI/HuggingFace/Groq keys, DB connections, SSH keys, JWTs, emails, IPs, credit cards (Luhn), Slack/Discord webhooks, Azure, GCP service accounts, npm/PyPI/RubyGems/GitLab tokens, Telegram bot tokens, and more.\n\nDeterministic regex. No ML. No API calls. Microseconds per scan.\n\nLimitations\nProtects secrets from reaching LLM provider — does NOT protect prompt content or code structure\nFor full privacy, use a local model\n\nPastewatch MCP v1.1 Author: ppiankov Copyright © 2026 ppiankov Canonical source: https://github.com/ppiankov/pastewatch License: MIT\n\nIf this document appears elsewhere, the repository above is the authoritative version." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/ppiankov/pastewatch-mcp", "publisherUrl": "https://clawhub.ai/ppiankov/pastewatch-mcp", "owner": "ppiankov", "version": "1.1.3", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/pastewatch-mcp", "downloadUrl": "https://openagent3.xyz/downloads/pastewatch-mcp", "agentUrl": "https://openagent3.xyz/skills/pastewatch-mcp/agent", "manifestUrl": "https://openagent3.xyz/skills/pastewatch-mcp/agent.json", "briefUrl": "https://openagent3.xyz/skills/pastewatch-mcp/agent.md" } }