← Back to Skills Marketplace
anmolnagpal

Secrets Scanner

by Anmol Nagpal · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
463
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install secrets-scanner
Description
Detect hardcoded secrets, exposed API keys, and credential misconfigurations in IaC and config files
Usage Guidance
This skill appears to implement the stated goal (finding secrets) but has ambiguous instructions that could lead to accidental leakage of real secrets. Before installing or using it: - Never paste real secret values. Only paste redacted files (replace secrets with <REDACTED>) or provide filenames/paths for local scanning. - Ask the skill author to clarify and fix the contradictory guidance: if the tool needs only environment variable names, the SKILL.md should show safe AWS CLI queries that return only keys (not values), or explicit jq/JMESPath examples to strip values before copy/paste. For example, prefer commands that output only keys or run local commands like: aws lambda get-function-configuration --function-name NAME --query 'keys(Environment.Variables)'. (Verify the JMESPath expression locally.) - Confirm why ssm:DescribeParameters is included in the minimal IAM permissions and whether any additional permissions are required. - Prefer running any automated scanning locally (open-source tools like git-secrets, truffleHog, or local regex/high-entropy checks) rather than pasting data into a remote assistant session. - If you must share data with the skill, redact secret values first and confirm the skill's explicit rule to never output actual secret values. If the author can remove the contradictory CLI examples or explicitly show/how to redact values and justify the ssm permission, the skill becomes much less risky and more coherent.
Capability Analysis
Type: OpenClaw Skill Name: secrets-scanner Version: 1.0.0 The skill declares `bash` as a tool in `SKILL.md`, granting the agent shell execution capability. While the skill explicitly states it is 'instruction-only' and 'does not execute any AWS CLI commands,' the presence of `bash` introduces a significant vulnerability for potential Remote Code Execution (RCE) if the agent's internal guardrails are bypassed by a malicious prompt injection from a user. There is no evidence of malicious intent within the skill's own instructions, but the declared high-risk capability without a clearly defined, sandboxed use case makes it suspicious.
Capability Assessment
Purpose & Capability
The name and description (detect hardcoded secrets in IaC/configs) align with the instructions which ask the user to provide files or CLI output. There are minor scope notes: the SKILL.md is AWS-focused (Lambda, ECS, Secrets Manager) so AWS-related permissions and recommendations are expected. However the included minimal IAM policy contains ssm:DescribeParameters which is not demonstrated in the example commands, and the metadata fields (price, pack: aws-security) are non-functional but consistent with a commercial scanner.
Instruction Scope
The instructions repeatedly say "do not ask for credentials" and to provide only exported or redacted data, which is good. But they also show sample aws CLI commands that will output environment variable names and values; elsewhere they ask for keys only. This contradiction is likely to lead users to paste sensitive values unintentionally. The guidance to "remove any actual secret values first" is necessary but relies on the user doing manual redaction. The skill explicitly says it won't run AWS CLI or access accounts directly (it is instruction-only), which is accurate and reduces autonomous risk, but the current instructions place the data-exposure burden entirely on the user.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — the lowest install risk. Nothing is downloaded or written by the skill itself.
Credentials
No environment variables, binaries, or credentials are requested by the skill (primary credential: none). That is proportionate for a scanner that asks the user to paste/redact data. The only oddity is the provided minimal IAM permissions block (includes ssm:DescribeParameters) that isn't directly used in the shown commands; it should be clarified why SSM parameter access is listed.
Persistence & Privilege
The skill does not request persistent presence (always:false) and does not ask to modify agent-wide configuration. It is user-invocable and allows model invocation (default), which is normal for skills.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install secrets-scanner
  3. After installation, invoke the skill by name or use /secrets-scanner
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
aws-secrets-scanner 1.0.0 - Initial Release - Detects hardcoded secrets, API keys, and credential misconfigurations in IaC and config files. - Instruction-only: analyzes exported data provided by the user; does not access AWS accounts or run AWS CLI commands directly. - Supports scanning Terraform, CloudFormation, CDK, and extracted environment variable names from Lambda/ECS. - Identifies various secret types including AWS keys, API tokens, SSH keys, connection strings, and hardcoded passwords. - Produces actionable findings, risk assessment, and migration/remediation guidance (including AWS Secrets Manager integration and Git history cleanup). - Protects sensitive data—never outputs raw credentials, only their locations and recommended next steps.
Metadata
Slug secrets-scanner
Version 1.0.0
License
All-time Installs 1
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Secrets Scanner?

Detect hardcoded secrets, exposed API keys, and credential misconfigurations in IaC and config files. It is an AI Agent Skill for Claude Code / OpenClaw, with 463 downloads so far.

How do I install Secrets Scanner?

Run "/install secrets-scanner" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Secrets Scanner free?

Yes, Secrets Scanner is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Secrets Scanner support?

Secrets Scanner is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Secrets Scanner?

It is built and maintained by Anmol Nagpal (@anmolnagpal); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments