← 返回 Skills 市场
secrets-audit
作者
charlie-morrison
· GitHub ↗
· v1.0.0
· MIT-0
109
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install secrets-audit
功能描述
Scan projects and codebases for exposed secrets, API keys, tokens, passwords, and sensitive credentials. Detects hardcoded secrets in source code, config fil...
安全使用建议
This skill appears coherent and implements a local secrets scanner as advertised. Before running it: (1) review the script (especially the git-history code) to ensure it matches your policies; (2) run it against a copy of the repository or in an isolated environment (container/VM) if the project contains very sensitive data; (3) be aware the script invokes git via subprocess.run for history checks — that's expected but review/limit where you run it; (4) there is a minor code bug near the end of scan_git_history (an apparent undefined variable reference) — consider fixing or reviewing the full script before CI/automation use; (5) the scanner uses entropy heuristics and regex rules that can produce false positives/negatives—review findings manually and rotate any real/high-severity credentials immediately; (6) do not assume the tool uploads results anywhere (it doesn't in the provided files), but verify you trust any environment where you run it.
功能分析
Type: OpenClaw Skill
Name: secrets-audit
Version: 1.0.0
The secrets-audit skill is a legitimate security tool designed to identify hardcoded credentials, API keys, and sensitive data within a codebase. The primary logic in scripts/scan_secrets.py uses standard regex patterns and Shannon entropy calculations to detect leaks, and it includes a feature to audit git history using subprocess calls to 'git log'. No evidence of data exfiltration, malicious intent, or prompt injection was found; the tool operates locally and provides actionable remediation advice in its documentation.
能力标签
能力评估
Purpose & Capability
The name/description, SKILL.md, and scripts/scan_secrets.py are consistent: the script implements pattern matching, entropy checks, directory skipping, CI exit codes, and optional git-history scanning. The skill does not request unrelated credentials, binaries, or configuration paths.
Instruction Scope
Runtime instructions only direct the agent to run the included Python scanner against a target directory (with an optional --git-history flag). The SKILL.md and script operate entirely on local files and git history; there are no instructions to transmit data to external endpoints. The git-history checks use git subprocess calls, which is expected for this purpose.
Install Mechanism
No install spec; the skill is instruction-plus-script only and relies on Python stdlib. Nothing is downloaded or installed by the skill itself.
Credentials
The skill requests no environment variables or credentials. It scans repositories provided by the user; no additional secrets are requested or required.
Persistence & Privilege
always:false and no special persistence or system-wide modifications. The skill does not claim to modify other skills or global agent settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install secrets-audit - 安装完成后,直接呼叫该 Skill 的名称或使用
/secrets-audit触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
常见问题
secrets-audit 是什么?
Scan projects and codebases for exposed secrets, API keys, tokens, passwords, and sensitive credentials. Detects hardcoded secrets in source code, config fil... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 109 次。
如何安装 secrets-audit?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install secrets-audit」即可一键安装,无需额外配置。
secrets-audit 是免费的吗?
是的,secrets-audit 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
secrets-audit 支持哪些平台?
secrets-audit 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 secrets-audit?
由 charlie-morrison(@charlie-morrison)开发并维护,当前版本 v1.0.0。
推荐 Skills