← Back to Skills Marketplace
aronchick

Expanso secrets-scan

by Expanso · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
894
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install expanso-secrets-scan
Description
Detect hardcoded secrets like API keys, tokens, and passwords in text or code using Expanso Edge pipelines.
README (SKILL.md)

secrets-scan

Detect hardcoded secrets (API keys, tokens, passwords) in text or code

Requirements

  • Expanso Edge installed (expanso-edge binary in PATH)
  • Install via: clawhub install expanso-edge

Usage

CLI Pipeline

# Run standalone
echo '\x3Cinput>' | expanso-edge run pipeline-cli.yaml

MCP Pipeline

# Start as MCP server
expanso-edge run pipeline-mcp.yaml

Deploy to Expanso Cloud

expanso-cli job deploy https://skills.expanso.io/secrets-scan/pipeline-cli.yaml

Files

File Purpose
skill.yaml Skill metadata (inputs, outputs, credentials)
pipeline-cli.yaml Standalone CLI pipeline
pipeline-mcp.yaml MCP server pipeline
Usage Guidance
This skill is a legitimate-looking secrets scanner but it will (by design) send the text you give it to OpenAI's API when an OPENAI_API_KEY is supplied. That means any secrets in the input may leave your machine and may appear in the tool's output (the pipeline asks for "full_match" values). Before using it: 1) Decide whether you are comfortable sending repository contents or other sensitive data to an external LLM. 2) If you need local-only scanning, verify or implement the regex/local backend and remove or disable the openai_chat_completion processor. 3) Confirm the OPENAI_API_KEY behavior — if you don't set a key, test how the pipeline behaves (it may error). 4) If you must use the LLM, consider changing the output schema to redact full secrets (return only partial redactions) and avoid logging or storing full matches. 5) If deploying MCP mode, restrict access to the /scan endpoint (authentication, network controls) to prevent remote abuse. If you want, I can produce a minimal, local-only variant of the pipeline that never sends data to remote services and returns only redacted matches.
Capability Analysis
Type: OpenClaw Skill Name: expanso-secrets-scan Version: 1.0.0 The skill is designed to detect hardcoded secrets using an OpenAI LLM, as described in `SKILL.md` and `README.md`. It utilizes environment variables for configuration (`OPENAI_API_KEY`, `SECRET_TYPES`) and processes input via CLI or an HTTP server, sending it to the OpenAI API for analysis. All code and documentation align with the stated purpose, and there is no evidence of intentional harmful behavior, data exfiltration beyond the OpenAI API call for its core function, malicious execution, persistence mechanisms, or prompt injection attempts against the OpenClaw agent itself.
Capability Assessment
Purpose & Capability
The skill name and files describe a secrets scanner and the pipeline processors perform exactly that (pattern/LLM-based scanning). Requiring or using an OpenAI API key for LLM-enhanced detection is reasonable for this purpose. However, documentation and metadata are inconsistent: README claims OPENAI_API_KEY is required, while skill.yaml marks it optional even though both CLI and MCP pipelines unconditionally call an openai_chat_completion processor. This mismatch is noteworthy because it affects whether the pipeline will actually send your input off-machine.
Instruction Scope
Pipelines send the entire provided text/code to the remote OpenAI model (openai_chat_completion) as the content to scan. The requested output schema explicitly asks for a "full_match" field (the full matched string) which means the pipeline expects the LLM to return full secret strings. That behavior would cause any found secrets to be included in the pipeline output and — since the LLM receives the full input — to be transmitted to OpenAI. The MCP pipeline exposes an HTTP /scan endpoint that can accept arbitrary text and forward it to the LLM. These instructions stay within the stated purpose (scanning) but entail sending sensitive data off-host and returning full secret values, which is a high-privacy-risk design choice.
Install Mechanism
This is an instruction-only skill with no install spec or code to download. It requires Expanso Edge (local binary) to run pipelines; no third-party downloads or install scripts are included, so installation risk is low.
Credentials
The only credential referenced is OPENAI_API_KEY (skill.yaml marks it optional). Yet both pipeline files use openai_chat_completion and reference ${OPENAI_API_KEY} directly; README states OPENAI_API_KEY is required. That inconsistency could lead to runtime failures or accidental unprotected behavior. Requiring an OpenAI key is proportionate to LLM-based scanning, but you must be explicit that supplying it causes your scanned data to be sent to OpenAI. No unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true or any persistent/privileged presence. It does not modify other skills or system-level configuration. MCP mode runs an HTTP server only when you start it, which is expected for a service exposing a scan endpoint.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install expanso-secrets-scan
  3. After installation, invoke the skill by name or use /expanso-secrets-scan
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial publish to ClawHub
Metadata
Slug expanso-secrets-scan
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Expanso secrets-scan?

Detect hardcoded secrets like API keys, tokens, and passwords in text or code using Expanso Edge pipelines. It is an AI Agent Skill for Claude Code / OpenClaw, with 894 downloads so far.

How do I install Expanso secrets-scan?

Run "/install expanso-secrets-scan" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Expanso secrets-scan free?

Yes, Expanso secrets-scan is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Expanso secrets-scan support?

Expanso secrets-scan is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Expanso secrets-scan?

It is built and maintained by Expanso (@aronchick); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments