← 返回 Skills 市场
Credential Scanner
作者
nirwan dogra
· GitHub ↗
· v0.1.0
696
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install credential-scanner
功能描述
Scans files, repos, and directories for leaked secrets — API keys, tokens, passwords, connection strings, private keys, and credentials. Detects 40+ secret p...
使用说明 (SKILL.md)
\r \r
Secret Scanner\r
\r Security skill that scans code, config files, and repos for accidentally leaked secrets and credentials.\r \r
When to Use This Skill\r
\r Use this skill when the user:\r \r
- Asks to "check for leaked secrets" or "scan for API keys"\r
- Wants to audit a repo or folder before committing or publishing\r
- Says "are there any hardcoded passwords in this code?"\r
- Asks to "find credentials" or "check for exposed tokens"\r
- Wants pre-commit or pre-publish security checks\r
- Mentions concern about accidentally checking in secrets\r \r
Capabilities\r
\r
- Detect 40+ secret patterns including:\r
- AWS Access Keys, Secret Keys, Session Tokens\r
- Azure Storage Keys, Connection Strings, SAS Tokens\r
- GCP Service Account Keys, API Keys\r
- GitHub / GitLab / Bitbucket Personal Access Tokens\r
- OpenAI, Anthropic, Hugging Face API Keys\r
- Slack Bot Tokens, Webhooks\r
- Stripe, Twilio, SendGrid Keys\r
- Database connection strings (MongoDB, PostgreSQL, MySQL, Redis)\r
- SSH Private Keys, PEM/PFX Certificates\r
- JWT Tokens, Bearer Tokens\r
- Generic passwords in config files (password=, secret=, token=)\r
- Scan individual files, directories, or entire repos recursively\r
- Ignore binary files, node_modules, .git, and other non-relevant paths\r
- Output results as Markdown report or JSON\r
- Provide severity ratings (Critical, High, Medium, Low)\r
- Suggest remediation for each finding\r \r
How to Scan\r
\r
Scan a directory\r
python secret_scanner.py /path/to/project\r
```\r
\r
### Scan with JSON output\r
```bash\r
python secret_scanner.py /path/to/project --json\r
```\r
\r
### Scan and save report\r
```bash\r
python secret_scanner.py /path/to/project --output report.md\r
```\r
\r
### Within an Agent\r
```\r
"Scan this project for leaked secrets"\r
"Check if there are any API keys in the codebase"\r
"Run secret-scanner on the current directory"\r
"Find hardcoded passwords in my config files"\r
"Audit this repo before I push to GitHub"\r
```\r
\r
## Secret Patterns Detected\r
\r
### Cloud Provider Keys\r
| Provider | Secrets Detected |\r
|----------|-----------------|\r
| **AWS** | Access Key ID (`AKIA...`), Secret Access Key, Session Token |\r
| **Azure** | Storage Account Key, Connection String, SAS Token, Client Secret |\r
| **GCP** | API Key (`AIza...`), Service Account JSON, OAuth Client Secret |\r
\r
### AI / LLM Keys\r
| Service | Pattern |\r
|---------|---------|\r
| **OpenAI** | `sk-` prefixed API keys |\r
| **Anthropic** | `sk-ant-` prefixed keys |\r
| **Hugging Face** | `hf_` prefixed tokens |\r
| **Cohere** | API keys in config |\r
\r
### Developer Platforms\r
| Platform | Secrets Detected |\r
|----------|-----------------|\r
| **GitHub** | `ghp_`, `gho_`, `ghu_`, `ghs_`, `ghr_` tokens |\r
| **GitLab** | `glpat-` tokens |\r
| **Slack** | `xoxb-`, `xoxp-`, `xoxs-` tokens, webhook URLs |\r
| **Stripe** | `sk_live_`, `sk_test_`, `rk_live_` keys |\r
| **Twilio** | Account SID, Auth Token |\r
| **SendGrid** | `SG.` prefixed API keys |\r
\r
### Databases & Infrastructure\r
| Type | Pattern |\r
|------|---------|\r
| **MongoDB** | `mongodb://` or `mongodb+srv://` with credentials |\r
| **PostgreSQL** | `postgresql://` with embedded password |\r
| **MySQL** | `mysql://` with embedded password |\r
| **Redis** | `redis://` with password |\r
| **SSH** | `-----BEGIN (RSA\|EC\|OPENSSH) PRIVATE KEY-----` |\r
| **Certificates** | PEM, PFX, P12 with embedded keys |\r
\r
### Generic Patterns\r
| Pattern | Description |\r
|---------|-------------|\r
| **password=** | Hardcoded passwords in config/env files |\r
| **secret=** | Hardcoded secrets |\r
| **token=** | Hardcoded tokens |\r
| **Bearer** | Bearer tokens in code |\r
| **Basic Auth** | Base64-encoded basic auth headers |\r
| **JWT** | `eyJ` prefixed JWT tokens |\r
| **High Entropy** | Long random strings that look like secrets |\r
\r
## Severity Levels\r
\r
| Severity | Description | Examples |\r
|----------|-------------|----------|\r
| 🔴 **Critical** | Active production credentials | AWS Secret Key, Private Keys, DB passwords |\r
| 🟠 **High** | Service tokens with broad access | GitHub PAT, Slack Bot Token, Stripe Live Key |\r
| 🟡 **Medium** | Keys that may be test/dev | Test API keys, example tokens |\r
| 🟢 **Low** | Potential false positives | Generic password= in comments, placeholder values |\r
\r
## Files Scanned\r
\r
Scans these file types by default:\r
- Source code: `.py`, `.js`, `.ts`, `.java`, `.go`, `.rb`, `.php`, `.cs`, `.rs`\r
- Config: `.json`, `.yaml`, `.yml`, `.toml`, `.ini`, `.cfg`, `.conf`\r
- Environment: `.env`, `.env.local`, `.env.production`\r
- Shell: `.sh`, `.bash`, `.zsh`, `.ps1`\r
- Docs: `.md`, `.txt`\r
- Other: `Dockerfile`, `docker-compose.yml`, `Makefile`\r
\r
## Ignored Paths\r
\r
Automatically skips:\r
- `node_modules/`, `vendor/`, `venv/`, `.venv/`\r
- `.git/`, `.svn/`\r
- `__pycache__/`, `.pytest_cache/`\r
- Binary files, images, compiled outputs\r
- `package-lock.json`, `yarn.lock`\r
\r
## Remediation Guidance\r
\r
When secrets are found, the skill recommends:\r
1. **Rotate the secret immediately** — assume it's compromised\r
2. **Remove from code** — use environment variables or a secrets manager instead\r
3. **Add to .gitignore** — prevent `.env` and credential files from being committed\r
4. **Use git-filter-repo** — to remove secrets from git history\r
5. **Enable pre-commit hooks** — to catch secrets before they're committed\r
\r
## Requirements\r
- Python 3.7+\r
- No additional dependencies (uses Python standard library)\r
\r
## Entry Point\r
- **CLI:** `secret_scanner.py`\r
\r
## Tags\r
#security #secrets #credentials #api-keys #tokens #passwords #scanner #audit #pre-commit #leak-detection #cloud #aws #azure #gcp #devops\r
安全使用建议
This skill appears to be a straightforward local secret scanner and is internally consistent. Before installing or running it: (1) review the script yourself if you will run it in sensitive environments (we checked imports and saw only standard-library modules); (2) run it locally (or in an isolated environment) on the target repo — the tool will read files recursively and can surface sensitive data; (3) treat any findings as potentially compromised (rotate keys immediately) and avoid uploading raw reports that contain secret previews to public services; (4) if you plan to let an autonomous agent run this skill, ensure the agent is not configured to post scan results to external endpoints you did not approve. If you want even higher assurance, paste the full secret_scanner.py source into a code reviewer or run it in a sandboxed container to confirm behavior in your environment.
功能分析
Type: OpenClaw Skill
Name: credential-scanner
Version: 0.1.0
The OpenClaw AgentSkills skill bundle 'credential-scanner' is a legitimate secret scanner. The `SKILL.md` provides clear, transparent instructions for the agent and does not contain any prompt injection attempts. The `secret_scanner.py` code is a well-structured Python script that uses standard libraries to scan files for predefined secret patterns. It does not exhibit any malicious behaviors such as data exfiltration, unauthorized command execution, persistence mechanisms, or obfuscation. Its file access is strictly for its stated purpose of scanning, and it has no external dependencies, mitigating supply chain risks.
能力评估
Purpose & Capability
Name and description (scan repos for leaked secrets) match the included CLI script, README, and SKILL.md. The patterns and file types described are consistent with a secret scanner; nothing is requesting unrelated cloud credentials or external services.
Instruction Scope
SKILL.md instructs the agent/user to run the bundled Python script against a path, output JSON/Markdown, and follow remediation steps. Instructions do not tell the agent to read unrelated system files, environment variables, or to transmit findings to external endpoints.
Install Mechanism
No install spec (instruction-only with a single Python script). The skill claims zero external dependencies and the Python file imports only standard-library modules (os, re, sys, json, argparse, etc.), which matches that claim.
Credentials
The skill declares no required environment variables, no primary credential, and no config paths. The scanner legitimately doesn't need secrets to operate, so no secret-env access is requested or required.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request persistent system-wide privileges or modify other skills' configs. Autonomous invocation is allowed by platform default but there are no additional privileges requested by the skill.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install credential-scanner - 安装完成后,直接呼叫该 Skill 的名称或使用
/credential-scanner触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release
元数据
常见问题
Credential Scanner 是什么?
Scans files, repos, and directories for leaked secrets — API keys, tokens, passwords, connection strings, private keys, and credentials. Detects 40+ secret p... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 696 次。
如何安装 Credential Scanner?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install credential-scanner」即可一键安装,无需额外配置。
Credential Scanner 是免费的吗?
是的,Credential Scanner 完全免费(开源免费),可自由下载、安装和使用。
Credential Scanner 支持哪些平台?
Credential Scanner 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Credential Scanner?
由 nirwan dogra(@nirwandogra)开发并维护,当前版本 v0.1.0。
推荐 Skills