# Send Pastewatch MCP to your agent
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
## Fast path
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
## Suggested prompts
### New install

```text
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.
```
### Upgrade existing

```text
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.
```
## Machine-readable fields
```json
{
  "schemaVersion": "1.0",
  "item": {
    "slug": "pastewatch-mcp",
    "name": "Pastewatch MCP",
    "source": "tencent",
    "type": "skill",
    "category": "开发工具",
    "sourceUrl": "https://clawhub.ai/ppiankov/pastewatch-mcp",
    "canonicalUrl": "https://clawhub.ai/ppiankov/pastewatch-mcp",
    "targetPlatform": "OpenClaw"
  },
  "install": {
    "downloadUrl": "/downloads/pastewatch-mcp",
    "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=pastewatch-mcp",
    "sourcePlatform": "tencent",
    "targetPlatform": "OpenClaw",
    "packageFormat": "ZIP package",
    "primaryDoc": "SKILL.md",
    "includedAssets": [
      "SKILL.md"
    ],
    "downloadMode": "redirect",
    "sourceHealth": {
      "source": "tencent",
      "slug": "pastewatch-mcp",
      "status": "healthy",
      "reason": "direct_download_ok",
      "recommendedAction": "download",
      "checkedAt": "2026-05-06T23:18:42.021Z",
      "expiresAt": "2026-05-13T23:18:42.021Z",
      "httpStatus": 200,
      "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=pastewatch-mcp",
      "contentType": "application/zip",
      "probeMethod": "head",
      "details": {
        "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=pastewatch-mcp",
        "contentDisposition": "attachment; filename=\"pastewatch-mcp-1.3.0.zip\"",
        "redirectLocation": null,
        "bodySnippet": null,
        "slug": "pastewatch-mcp"
      },
      "scope": "item",
      "summary": "Item download looks usable.",
      "detail": "Yavira can redirect you to the upstream package for this item.",
      "primaryActionLabel": "Download for OpenClaw",
      "primaryActionHref": "/downloads/pastewatch-mcp"
    },
    "validation": {
      "installChecklist": [
        "Use the Yavira download entry.",
        "Review SKILL.md after the package is downloaded.",
        "Confirm the extracted package contains the expected setup assets."
      ],
      "postInstallChecks": [
        "Confirm the extracted package includes the expected docs or setup files.",
        "Validate the skill or prompts are available in your target agent workspace.",
        "Capture any manual follow-up steps the agent could not complete."
      ]
    }
  },
  "links": {
    "detailUrl": "https://openagent3.xyz/skills/pastewatch-mcp",
    "downloadUrl": "https://openagent3.xyz/downloads/pastewatch-mcp",
    "agentUrl": "https://openagent3.xyz/skills/pastewatch-mcp/agent",
    "manifestUrl": "https://openagent3.xyz/skills/pastewatch-mcp/agent.json",
    "briefUrl": "https://openagent3.xyz/skills/pastewatch-mcp/agent.md"
  }
}
```
## Documentation

### Pastewatch MCP — Secret Redaction

Prevents secrets from reaching your LLM provider. The agent works with placeholders, secrets stay local.

Source: https://github.com/ppiankov/pastewatch

### Install

# macOS
brew install ppiankov/tap/pastewatch

# Linux (binary + checksum)
curl -fsSL https://github.com/ppiankov/pastewatch/releases/latest/download/pastewatch-cli-linux-amd64 \\
  -o /usr/local/bin/pastewatch-cli
curl -fsSL https://github.com/ppiankov/pastewatch/releases/latest/download/pastewatch-cli-linux-amd64.sha256 \\
  -o /tmp/pastewatch-cli.sha256
cd /usr/local/bin && sha256sum -c /tmp/pastewatch-cli.sha256
chmod +x /usr/local/bin/pastewatch-cli

Verify: pastewatch-cli version (expect 0.18.0+)

### MCP Server Setup

mcporter config add pastewatch --command "pastewatch-cli mcp --audit-log /var/log/pastewatch-audit.log"
mcporter list pastewatch --schema  # 6 tools

### Agent Integration (one-command setup)

pastewatch-cli setup claude-code    # hooks + MCP config
pastewatch-cli setup cline          # MCP + hook instructions
pastewatch-cli setup cursor         # MCP + advisory

--severity aligns hook blocking and MCP redaction thresholds. --project for project-level config.

### MCP Tools

ToolPurposepastewatch_read_fileRead file with secrets replaced by __PW{TYPE_N}__ placeholderspastewatch_write_fileWrite file, resolving placeholders back to real values locallypastewatch_check_outputVerify text contains no raw secrets before returningpastewatch_scanScan text for sensitive datapastewatch_scan_fileScan a filepastewatch_scan_dirScan directory recursively

### Guard — Block Secret-Leaking Commands

Complements chainwatch: chainwatch blocks destructive commands, guard blocks commands that would leak secrets.

pastewatch-cli guard "cat .env"              # BLOCKED if .env has secrets
pastewatch-cli guard "psql -f migrate.sql"   # scans SQL file
pastewatch-cli guard "docker-compose up"     # scans referenced env_files

Guard understands:

Shell builtins: cat, echo, env, printenv, source, curl, wget
DB CLIs: psql, mysql, mongosh, redis-cli, sqlite3 (connection strings, -f flags, passwords)
Infra tools: ansible, terraform, docker, kubectl, helm (env-files, var-files)
Scripting: python, ruby, node, perl, php (script file args)
File transfer: scp, rsync, ssh, ssh-keygen
Pipe chains (|) and command chaining (&&, ||, ;) — each segment scanned
Subshell extraction: $(cat .env) and backtick expressions
Redirect operators: >, >>, <, 2> — scans source files

### Canary Tokens

Generate format-valid but non-functional tokens to detect leaks:

pastewatch-cli canary generate --prefix myagent    # creates canaries for 7 secret types
pastewatch-cli canary verify                        # confirms detection rules catch them
pastewatch-cli canary check --log /var/log/app.log  # search logs for leaked canaries

### Encrypted Vault

Store secrets encrypted locally instead of plaintext .env:

pastewatch-cli --init-key                    # generate 256-bit key (.pastewatch-key, mode 0600)
pastewatch-cli fix --encrypt                 # secrets → ChaCha20-Poly1305 vault
pastewatch-cli vault list                    # show entries without decrypting
pastewatch-cli vault decrypt                 # export to .env for deployment
pastewatch-cli vault export                  # print export VAR=VALUE for shell
pastewatch-cli vault rotate-key              # re-encrypt with new key

### Git History Scanning

pastewatch-cli scan --git-log                          # scan full history
pastewatch-cli scan --git-log --range HEAD~50..HEAD    # last 50 commits
pastewatch-cli scan --git-log --since 2025-01-01       # since date

Deduplicates by fingerprint — same secret across commits reported once at introduction point.

### Session Reports

pastewatch-cli report --audit-log /var/log/pastewatch-audit.log
pastewatch-cli report --format json --since 2026-03-01T00:00:00Z

### Detection Scope

29+ types: AWS, Anthropic/OpenAI/HuggingFace/Groq keys, DB connections, SSH keys, JWTs, emails, IPs, credit cards (Luhn), Slack/Discord webhooks, Azure, GCP service accounts, npm/PyPI/RubyGems/GitLab tokens, Telegram bot tokens, and more.

Deterministic regex. No ML. No API calls. Microseconds per scan.

### Limitations

Protects secrets from reaching LLM provider — does NOT protect prompt content or code structure
For full privacy, use a local model

Pastewatch MCP v1.1
Author: ppiankov
Copyright © 2026 ppiankov
Canonical source: https://github.com/ppiankov/pastewatch
License: MIT

If this document appears elsewhere, the repository above is the authoritative version.
## Trust
- Source: tencent
- Verification: Indexed source record
- Publisher: ppiankov
- Version: 1.1.3
## Source health
- Status: healthy
- Item download looks usable.
- Yavira can redirect you to the upstream package for this item.
- Health scope: item
- Reason: direct_download_ok
- Checked at: 2026-05-06T23:18:42.021Z
- Expires at: 2026-05-13T23:18:42.021Z
- Recommended action: Download for OpenClaw
## Links
- [Detail page](https://openagent3.xyz/skills/pastewatch-mcp)
- [Send to Agent page](https://openagent3.xyz/skills/pastewatch-mcp/agent)
- [JSON manifest](https://openagent3.xyz/skills/pastewatch-mcp/agent.json)
- [Markdown brief](https://openagent3.xyz/skills/pastewatch-mcp/agent.md)
- [Download page](https://openagent3.xyz/downloads/pastewatch-mcp)