secret-scanner

Scans files, repos, and directories for leaked secrets — API keys, tokens, passwords, connection strings, private keys, and credentials. Detects 40+ secret patterns across all major cloud providers and services.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "secret-scanner" with this command: npx skills add nirwandogra/credential-scanner

Secret Scanner

Security skill that scans code, config files, and repos for accidentally leaked secrets and credentials.

When to Use This Skill

Use this skill when the user:

  • Asks to "check for leaked secrets" or "scan for API keys"
  • Wants to audit a repo or folder before committing or publishing
  • Says "are there any hardcoded passwords in this code?"
  • Asks to "find credentials" or "check for exposed tokens"
  • Wants pre-commit or pre-publish security checks
  • Mentions concern about accidentally checking in secrets

Capabilities

  • Detect 40+ secret patterns including:
    • AWS Access Keys, Secret Keys, Session Tokens
    • Azure Storage Keys, Connection Strings, SAS Tokens
    • GCP Service Account Keys, API Keys
    • GitHub / GitLab / Bitbucket Personal Access Tokens
    • OpenAI, Anthropic, Hugging Face API Keys
    • Slack Bot Tokens, Webhooks
    • Stripe, Twilio, SendGrid Keys
    • Database connection strings (MongoDB, PostgreSQL, MySQL, Redis)
    • SSH Private Keys, PEM/PFX Certificates
    • JWT Tokens, Bearer Tokens
    • Generic passwords in config files (password=, secret=, token=)
  • Scan individual files, directories, or entire repos recursively
  • Ignore binary files, node_modules, .git, and other non-relevant paths
  • Output results as Markdown report or JSON
  • Provide severity ratings (Critical, High, Medium, Low)
  • Suggest remediation for each finding

How to Scan

Scan a directory

python secret_scanner.py /path/to/project

Scan with JSON output

python secret_scanner.py /path/to/project --json

Scan and save report

python secret_scanner.py /path/to/project --output report.md

Within an Agent

"Scan this project for leaked secrets"
"Check if there are any API keys in the codebase"
"Run secret-scanner on the current directory"
"Find hardcoded passwords in my config files"
"Audit this repo before I push to GitHub"

Secret Patterns Detected

Cloud Provider Keys

ProviderSecrets Detected
AWSAccess Key ID (AKIA...), Secret Access Key, Session Token
AzureStorage Account Key, Connection String, SAS Token, Client Secret
GCPAPI Key (AIza...), Service Account JSON, OAuth Client Secret

AI / LLM Keys

ServicePattern
OpenAIsk- prefixed API keys
Anthropicsk-ant- prefixed keys
Hugging Facehf_ prefixed tokens
CohereAPI keys in config

Developer Platforms

PlatformSecrets Detected
GitHubghp_, gho_, ghu_, ghs_, ghr_ tokens
GitLabglpat- tokens
Slackxoxb-, xoxp-, xoxs- tokens, webhook URLs
Stripesk_live_, sk_test_, rk_live_ keys
TwilioAccount SID, Auth Token
SendGridSG. prefixed API keys

Databases & Infrastructure

TypePattern
MongoDBmongodb:// or mongodb+srv:// with credentials
PostgreSQLpostgresql:// with embedded password
MySQLmysql:// with embedded password
Redisredis:// with password
SSH-----BEGIN (RSA|EC|OPENSSH) PRIVATE KEY-----
CertificatesPEM, PFX, P12 with embedded keys

Generic Patterns

PatternDescription
password=Hardcoded passwords in config/env files
secret=Hardcoded secrets
token=Hardcoded tokens
BearerBearer tokens in code
Basic AuthBase64-encoded basic auth headers
JWTeyJ prefixed JWT tokens
High EntropyLong random strings that look like secrets

Severity Levels

SeverityDescriptionExamples
🔴 CriticalActive production credentialsAWS Secret Key, Private Keys, DB passwords
🟠 HighService tokens with broad accessGitHub PAT, Slack Bot Token, Stripe Live Key
🟡 MediumKeys that may be test/devTest API keys, example tokens
🟢 LowPotential false positivesGeneric password= in comments, placeholder values

Files Scanned

Scans these file types by default:

  • Source code: .py, .js, .ts, .java, .go, .rb, .php, .cs, .rs
  • Config: .json, .yaml, .yml, .toml, .ini, .cfg, .conf
  • Environment: .env, .env.local, .env.production
  • Shell: .sh, .bash, .zsh, .ps1
  • Docs: .md, .txt
  • Other: Dockerfile, docker-compose.yml, Makefile

Ignored Paths

Automatically skips:

  • node_modules/, vendor/, venv/, .venv/
  • .git/, .svn/
  • __pycache__/, .pytest_cache/
  • Binary files, images, compiled outputs
  • package-lock.json, yarn.lock

Remediation Guidance

When secrets are found, the skill recommends:

  1. Rotate the secret immediately — assume it's compromised
  2. Remove from code — use environment variables or a secrets manager instead
  3. Add to .gitignore — prevent .env and credential files from being committed
  4. Use git-filter-repo — to remove secrets from git history
  5. Enable pre-commit hooks — to catch secrets before they're committed

Requirements

  • Python 3.7+
  • No additional dependencies (uses Python standard library)

Entry Point

  • CLI: secret_scanner.py

Tags

#security #secrets #credentials #api-keys #tokens #passwords #scanner #audit #pre-commit #leak-detection #cloud #aws #azure #gcp #devops

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

Digicert

DigiCert integration. Manage Certificates, Orders, Users, Organizations. Use when the user wants to interact with DigiCert data.

Registry SourceRecently Updated
2540membranedev
General

Dialpad

Dialpad integration. Manage Users, Groups, Departments, Offices. Use when the user wants to interact with Dialpad data.

Registry SourceRecently Updated
3270membranedev
General

Darwinbox

Darwinbox integration. Manage Organizations, Goals, Roles, Projects, Pipelines, Leads and more. Use when the user wants to interact with Darwinbox data.

Registry SourceRecently Updated
2700membranedev
General

Creatio

Creatio integration. Manage Leads, Organizations, Users. Use when the user wants to interact with Creatio data.

Registry SourceRecently Updated
3310membranedev