← Back to Skills Marketplace
charlie-morrison

secrets-audit

by charlie-morrison · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ✓ Security Clean
109
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install secrets-audit
Description
Scan projects and codebases for exposed secrets, API keys, tokens, passwords, and sensitive credentials. Detects hardcoded secrets in source code, config fil...
Usage Guidance
This skill appears coherent and implements a local secrets scanner as advertised. Before running it: (1) review the script (especially the git-history code) to ensure it matches your policies; (2) run it against a copy of the repository or in an isolated environment (container/VM) if the project contains very sensitive data; (3) be aware the script invokes git via subprocess.run for history checks — that's expected but review/limit where you run it; (4) there is a minor code bug near the end of scan_git_history (an apparent undefined variable reference) — consider fixing or reviewing the full script before CI/automation use; (5) the scanner uses entropy heuristics and regex rules that can produce false positives/negatives—review findings manually and rotate any real/high-severity credentials immediately; (6) do not assume the tool uploads results anywhere (it doesn't in the provided files), but verify you trust any environment where you run it.
Capability Analysis
Type: OpenClaw Skill Name: secrets-audit Version: 1.0.0 The secrets-audit skill is a legitimate security tool designed to identify hardcoded credentials, API keys, and sensitive data within a codebase. The primary logic in scripts/scan_secrets.py uses standard regex patterns and Shannon entropy calculations to detect leaks, and it includes a feature to audit git history using subprocess calls to 'git log'. No evidence of data exfiltration, malicious intent, or prompt injection was found; the tool operates locally and provides actionable remediation advice in its documentation.
Capability Tags
cryptorequires-walletcan-make-purchasesrequires-oauth-token
Capability Assessment
Purpose & Capability
The name/description, SKILL.md, and scripts/scan_secrets.py are consistent: the script implements pattern matching, entropy checks, directory skipping, CI exit codes, and optional git-history scanning. The skill does not request unrelated credentials, binaries, or configuration paths.
Instruction Scope
Runtime instructions only direct the agent to run the included Python scanner against a target directory (with an optional --git-history flag). The SKILL.md and script operate entirely on local files and git history; there are no instructions to transmit data to external endpoints. The git-history checks use git subprocess calls, which is expected for this purpose.
Install Mechanism
No install spec; the skill is instruction-plus-script only and relies on Python stdlib. Nothing is downloaded or installed by the skill itself.
Credentials
The skill requests no environment variables or credentials. It scans repositories provided by the user; no additional secrets are requested or required.
Persistence & Privilege
always:false and no special persistence or system-wide modifications. The skill does not claim to modify other skills or global agent settings.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install secrets-audit
  3. After installation, invoke the skill by name or use /secrets-audit
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Slug secrets-audit
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is secrets-audit?

Scan projects and codebases for exposed secrets, API keys, tokens, passwords, and sensitive credentials. Detects hardcoded secrets in source code, config fil... It is an AI Agent Skill for Claude Code / OpenClaw, with 109 downloads so far.

How do I install secrets-audit?

Run "/install secrets-audit" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is secrets-audit free?

Yes, secrets-audit is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does secrets-audit support?

secrets-audit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created secrets-audit?

It is built and maintained by charlie-morrison (@charlie-morrison); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments