check-secrets

Scan the codebase for potential secret leaks before commits.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "check-secrets" with this command: npx skills add nozomi-koborinai/koborin-ai/nozomi-koborinai-koborin-ai-check-secrets

check-secrets

Scan the codebase for potential secret leaks before commits.

Trigger Examples

  • "Check for secrets"

  • "Scan for leaks"

  • "Security check"

  • "Are there any hardcoded secrets?"

Execution Flow

  1. Define Detection Patterns

High-risk patterns:

  • API keys: ['"]?[A-Z0-9_]{20,}['"]?

  • Bearer tokens: Bearer\s+[A-Za-z0-9-._~+/]+=*

  • Private keys: -----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----

  • OAuth secrets: client_secret['"]?\s*[:=]\s*['"]?[A-Za-z0-9-_]{20,}

  • GCP service account keys: "type":\s*"service_account"

  • AWS credentials: AKIA[0-9A-Z]{16}

Project-specific patterns:

  • Hardcoded project IDs: koborin-ai (outside of variable assignments or docs)

  • Email addresses: @koborin.ai

Safe patterns (excluded):

  • Environment variable references: process.env. , ${ , TF_VAR_

  • Placeholder values: <PROJECT_ID> , YOUR_API_KEY , dummy , example

  • Test fixtures: files under tests/ , *.test.ts , *.spec.ts

  1. Scan the Codebase

Use git ls-files to get tracked files:

git ls-files | grep -v -E '.(png|jpg|jpeg|gif|svg|woff|woff2|ttf|eot|ico|pdf)$' |
grep -v -E '^(node_modules|.next|dist|build|coverage)/'

  1. Filter False Positives

Remove known safe occurrences:

  • Lines containing process.env. or TF_VAR_

  • Template files (.env.example , .env.template )

  • Lines with placeholder patterns (<...> , YOUR_... , REPLACE_ME )

  1. Categorize Findings

Critical (immediate action required):

  • Private keys, service account JSON

  • Hardcoded passwords or tokens

  • Real API keys with valid format

Warning (review recommended):

  • Suspicious long strings that might be keys

  • Hardcoded project IDs outside infrastructure code

Info (low risk):

  • Company name in unexpected places

  • Domain references in application code

  1. Display Results

CRITICAL: Potential private key detected File: infra/shared/main.tf Line: 42 Match: -----BEGIN PRIVATE KEY-----

WARNING: Hardcoded project ID File: app/src/lib/api-client.ts Line: 15 Match: const PROJECT = "koborin-ai"

Summary:

  • Critical: 1 finding(s)
  • Warning: 1 finding(s)

Review these findings before committing.

Project-Specific Rules

For koborin-ai :

  • Allow koborin-ai in infra/ and README.md

  • Flag it in app/src/ unless from environment variable

  • Allow email addresses in documentation

  • Flag GCP project IDs when hardcoded outside Pulumi config

Notes

  • This is static analysis only; cannot detect runtime-loaded secrets

  • Always review findings manually

  • Run before every commit

  • Never commit real secrets even if undetected

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

translate-article

No summary provided by upstream source.

Repository SourceNeeds Review
6-nozomi-koborinai
Automation

update-agents-md

No summary provided by upstream source.

Repository SourceNeeds Review
6-nozomi-koborinai
General

import-pulumi

No summary provided by upstream source.

Repository SourceNeeds Review
4-nozomi-koborinai
General

change-type

No summary provided by upstream source.

Repository SourceNeeds Review
4-nozomi-koborinai