← Back to Skills Marketplace
482
Downloads
0
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install doro-git-secrets-scanner
Description
Git 安全扫描器 - 检查提交中的敏感信息泄露(API keys、密码、token)
README (SKILL.md)
Git 安全扫描器
检查提交中的敏感信息泄露。
工具对比
| 工具 | Stars | 特点 |
|---|---|---|
| Gitleaks | 24,958 | 最流行,Go 编写,快速 |
| TruffleHog | 24,612 | 验证 secrets,支持多种格式 |
| git-secrets | 13,173 | AWS 官方,pre-commit hook |
安装
Gitleaks(推荐)
# macOS
brew install gitleaks
# Linux
# 从 https://github.com/gitleaks/gitleaks/releases 下载
# 或使用 Go
go install github.com/gitleaks/gitleaks/v8@latest
TruffleHog
# macOS
brew install trufflehog
# Linux
# 从 https://github.com/trufflesecurity/trufflehog/releases 下载
# 或使用 Docker
docker pull trufflesecurity/trufflehog:latest
git-secrets
# macOS
brew install git-secrets
# Linux
git clone https://github.com/awslabs/git-secrets.git
cd git-secrets
sudo make install
使用方法
1. 扫描当前仓库
# Gitleaks
gitleaks detect --source . -v
# TruffleHog
trufflehog git file://. --only-verified
# git-secrets(需要先设置 hook)
git secrets --scan-history
2. 扫描特定提交
# Gitleaks
gitleaks detect --source . --log-opts="HEAD~1..HEAD"
# TruffleHog
trufflehog git file://. --commit=HEAD
3. 扫描所有历史
# Gitleaks
gitleaks detect --source . --log-opts="--all"
# TruffleHog
trufflehog git file://. --no-deletion
4. 设置 pre-commit hook
# git-secrets
cd your-repo
git secrets --install
git secrets --register-aws
5. CI/CD 集成
# .github/workflows/security.yml
name: Security Scan
on: [push, pull_request]
jobs:
gitleaks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
检测的内容
API Keys
- AWS Access Keys
- GitHub Tokens
- Slack Tokens
- Stripe Keys
- Moltbook API Keys ✨
密码
- 数据库密码
- SMTP 密码
- SSH 密钥
Token
- OAuth Tokens
- JWT Tokens
- Bearer Tokens
其他
- 私钥
- 证书
- .env 文件
输出示例
Finding: moltbook_sk_jX64MWE_yirqMSihBqb2B7slL64EygBt
Secret: moltbook_sk_jX64MWE_yirqMSihBqb2B7slL64EygBt
RuleID: generic-api-key
Entropy: 4.562345
File: memory/moltbook-art-of-focus-post.md
Line: 45
Commit: abc1234
Author: [email protected]
Date: 2026-02-19T03:11:00Z
Fingerprint: abc123...
最佳实践
1. 提交前扫描
# 添加到 .git/hooks/pre-commit
#!/bin/bash
gitleaks protect --staged
2. 定期扫描
# 每周扫描
crontab -e
0 0 * * 0 cd /path/to/repo && gitleaks detect --source .
3. 扫描多个仓库
#!/bin/bash
for repo in ~/projects/*; do
echo "Scanning $repo..."
gitleaks detect --source "$repo" -v
done
修复泄露的 Secret
如果发现泄露:
- 立即撤销 - 重新生成 API key
- 删除历史 - 从 git 历史中删除敏感信息
- 强制推送 -
git push --force(谨慎使用) - 通知团队 - 告知其他开发者
使用 BFG 清理历史
# 安装 BFG
brew install bfg
# 清理敏感文件
bfg --delete-files .env
# 清理敏感字符串
bfg --replace-text passwords.txt
# 强制推送
git push --force
配置文件
.gitleaks.toml
title = "Custom Gitleaks Config"
[extend]
useDefault = true
[[rules]]
id = "moltbook-api-key"
description = "Moltbook API Key"
regex = '''moltbook_sk_[a-zA-Z0-9]{32}'''
tags = ["api-key", "moltbook"]
[allowlist]
paths = [
'''example\.txt''',
'''test/.*'''
]
注意事项
- False Positives - 扫描器可能误报
- 熵值 - 高熵值可能是敏感信息
- 上下文 - 检查是否真的敏感
- 验证 - TruffleHog 可以验证 secret 是否有效
版本: 1.0.0 工具: Gitleaks, TruffleHog, git-secrets
Usage Guidance
This skill is a how-to for using common git secret-scanning tools and appears coherent. Before using it: (1) install tools from official project releases or trusted package managers; (2) avoid automatic 'verification' steps that contact external services if you don't want discovered secrets transmitted externally; (3) back up repositories before rewriting history and be cautious with git push --force; (4) pre-commit hooks alter local repo state—review them before installing; (5) rotate any real secrets found rather than relying solely on history-cleaning. Minor metadata inconsistencies (different ownerId in _meta.json and an odd package author string) are worth a quick sanity check with the publisher but do not materially change the security posture of this instruction-only skill.
Capability Analysis
Type: OpenClaw Skill
Name: doro-git-secrets-scanner
Version: 1.0.0
The OpenClaw skill 'doro-git-secrets-scanner' is a benign security tool. Its `SKILL.md` provides comprehensive instructions and examples for using legitimate open-source tools like Gitleaks, TruffleHog, and BFG to detect and remediate secrets in Git repositories. All commands and examples are directly related to the stated purpose, and there is no evidence of malicious intent, data exfiltration, persistence mechanisms, obfuscation, or prompt injection attempts against the AI agent. The `package.json` and `_meta.json` files contain standard, non-malicious metadata.
Capability Assessment
Purpose & Capability
Name, description, and required binaries (git) align with a git-focused secrets scanner. The SKILL.md consistently recommends well-known tools (gitleaks, TruffleHog, git-secrets) and shows relevant commands and config; nothing requested (no env vars or odd binaries) is unrelated to scanning git histories.
Instruction Scope
Instructions stay within the expected scope (scanning repos, pre-commit hooks, CI integration). Caution: the guide recommends actions that can be sensitive or destructive (rewriting history, git push --force, installing hooks). It also mentions TruffleHog's 'verification'—some verification steps can contact external services or provider APIs and might transmit discovered secrets during validation. Users should be aware and avoid automatic remote verification when scanning sensitive repos.
Install Mechanism
This is an instruction-only skill with no install spec or bundled code. It instructs the user to install tools via brew, go install, distro releases, or Docker — all standard, traceable installation methods. No arbitrary download-from-unknown-URL automated install is included by the skill itself.
Credentials
The skill requests no environment variables or credentials. The CI example references GITHUB_TOKEN in a typical and expected way for a GitHub Action. Nothing in requires.env or the instructions asks for unrelated secrets or system-wide credentials.
Persistence & Privilege
always:false and no autonomous install behavior are appropriate. The guide suggests installing pre-commit hooks and running repository-local commands (git secrets --install), which modify repo hooks/config but are scoped to the repo. Also advises rewriting history and force-pushing — these are privileged repository operations and should be used cautiously.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install doro-git-secrets-scanner - After installation, invoke the skill by name or use
/doro-git-secrets-scanner - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of doro-git-secrets-scanner.
- Provides guidance and commands for installing and using Gitleaks, TruffleHog, and git-secrets to scan Git repositories for leaked secrets.
- Includes usage examples for scanning current repo, specific commits, full history, and integrating with pre-commit hooks and CI/CD workflows.
- Details common types of secrets detected (API keys, passwords, tokens, etc.) and output examples.
- Offers best practices and instructions for remediating exposed secrets, including use of BFG for history cleaning.
- Provides sample configuration for customizing Gitleaks rules and allowlists.
Metadata
Frequently Asked Questions
What is Doro Git Secrets Scanner?
Git 安全扫描器 - 检查提交中的敏感信息泄露(API keys、密码、token). It is an AI Agent Skill for Claude Code / OpenClaw, with 482 downloads so far.
How do I install Doro Git Secrets Scanner?
Run "/install doro-git-secrets-scanner" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Doro Git Secrets Scanner free?
Yes, Doro Git Secrets Scanner is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Doro Git Secrets Scanner support?
Doro Git Secrets Scanner is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Doro Git Secrets Scanner?
It is built and maintained by Mus Titou (@a2mus); the current version is v1.0.0.
More Skills