← Back to Skills Marketplace
nirwandogra

Credential Scanner

by nirwan dogra · GitHub ↗ · v0.1.0
cross-platform ✓ Security Clean
696
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install credential-scanner
Description
Scans files, repos, and directories for leaked secrets — API keys, tokens, passwords, connection strings, private keys, and credentials. Detects 40+ secret p...
README (SKILL.md)

\r \r

Secret Scanner\r

\r Security skill that scans code, config files, and repos for accidentally leaked secrets and credentials.\r \r

When to Use This Skill\r

\r Use this skill when the user:\r \r

  • Asks to "check for leaked secrets" or "scan for API keys"\r
  • Wants to audit a repo or folder before committing or publishing\r
  • Says "are there any hardcoded passwords in this code?"\r
  • Asks to "find credentials" or "check for exposed tokens"\r
  • Wants pre-commit or pre-publish security checks\r
  • Mentions concern about accidentally checking in secrets\r \r

Capabilities\r

\r

  • Detect 40+ secret patterns including:\r
    • AWS Access Keys, Secret Keys, Session Tokens\r
    • Azure Storage Keys, Connection Strings, SAS Tokens\r
    • GCP Service Account Keys, API Keys\r
    • GitHub / GitLab / Bitbucket Personal Access Tokens\r
    • OpenAI, Anthropic, Hugging Face API Keys\r
    • Slack Bot Tokens, Webhooks\r
    • Stripe, Twilio, SendGrid Keys\r
    • Database connection strings (MongoDB, PostgreSQL, MySQL, Redis)\r
    • SSH Private Keys, PEM/PFX Certificates\r
    • JWT Tokens, Bearer Tokens\r
    • Generic passwords in config files (password=, secret=, token=)\r
  • Scan individual files, directories, or entire repos recursively\r
  • Ignore binary files, node_modules, .git, and other non-relevant paths\r
  • Output results as Markdown report or JSON\r
  • Provide severity ratings (Critical, High, Medium, Low)\r
  • Suggest remediation for each finding\r \r

How to Scan\r

\r

Scan a directory\r

python secret_scanner.py /path/to/project\r
```\r
\r
### Scan with JSON output\r
```bash\r
python secret_scanner.py /path/to/project --json\r
```\r
\r
### Scan and save report\r
```bash\r
python secret_scanner.py /path/to/project --output report.md\r
```\r
\r
### Within an Agent\r
```\r
"Scan this project for leaked secrets"\r
"Check if there are any API keys in the codebase"\r
"Run secret-scanner on the current directory"\r
"Find hardcoded passwords in my config files"\r
"Audit this repo before I push to GitHub"\r
```\r
\r
## Secret Patterns Detected\r
\r
### Cloud Provider Keys\r
| Provider | Secrets Detected |\r
|----------|-----------------|\r
| **AWS** | Access Key ID (`AKIA...`), Secret Access Key, Session Token |\r
| **Azure** | Storage Account Key, Connection String, SAS Token, Client Secret |\r
| **GCP** | API Key (`AIza...`), Service Account JSON, OAuth Client Secret |\r
\r
### AI / LLM Keys\r
| Service | Pattern |\r
|---------|---------|\r
| **OpenAI** | `sk-` prefixed API keys |\r
| **Anthropic** | `sk-ant-` prefixed keys |\r
| **Hugging Face** | `hf_` prefixed tokens |\r
| **Cohere** | API keys in config |\r
\r
### Developer Platforms\r
| Platform | Secrets Detected |\r
|----------|-----------------|\r
| **GitHub** | `ghp_`, `gho_`, `ghu_`, `ghs_`, `ghr_` tokens |\r
| **GitLab** | `glpat-` tokens |\r
| **Slack** | `xoxb-`, `xoxp-`, `xoxs-` tokens, webhook URLs |\r
| **Stripe** | `sk_live_`, `sk_test_`, `rk_live_` keys |\r
| **Twilio** | Account SID, Auth Token |\r
| **SendGrid** | `SG.` prefixed API keys |\r
\r
### Databases & Infrastructure\r
| Type | Pattern |\r
|------|---------|\r
| **MongoDB** | `mongodb://` or `mongodb+srv://` with credentials |\r
| **PostgreSQL** | `postgresql://` with embedded password |\r
| **MySQL** | `mysql://` with embedded password |\r
| **Redis** | `redis://` with password |\r
| **SSH** | `-----BEGIN (RSA\|EC\|OPENSSH) PRIVATE KEY-----` |\r
| **Certificates** | PEM, PFX, P12 with embedded keys |\r
\r
### Generic Patterns\r
| Pattern | Description |\r
|---------|-------------|\r
| **password=** | Hardcoded passwords in config/env files |\r
| **secret=** | Hardcoded secrets |\r
| **token=** | Hardcoded tokens |\r
| **Bearer** | Bearer tokens in code |\r
| **Basic Auth** | Base64-encoded basic auth headers |\r
| **JWT** | `eyJ` prefixed JWT tokens |\r
| **High Entropy** | Long random strings that look like secrets |\r
\r
## Severity Levels\r
\r
| Severity | Description | Examples |\r
|----------|-------------|----------|\r
| 🔴 **Critical** | Active production credentials | AWS Secret Key, Private Keys, DB passwords |\r
| 🟠 **High** | Service tokens with broad access | GitHub PAT, Slack Bot Token, Stripe Live Key |\r
| 🟡 **Medium** | Keys that may be test/dev | Test API keys, example tokens |\r
| 🟢 **Low** | Potential false positives | Generic password= in comments, placeholder values |\r
\r
## Files Scanned\r
\r
Scans these file types by default:\r
- Source code: `.py`, `.js`, `.ts`, `.java`, `.go`, `.rb`, `.php`, `.cs`, `.rs`\r
- Config: `.json`, `.yaml`, `.yml`, `.toml`, `.ini`, `.cfg`, `.conf`\r
- Environment: `.env`, `.env.local`, `.env.production`\r
- Shell: `.sh`, `.bash`, `.zsh`, `.ps1`\r
- Docs: `.md`, `.txt`\r
- Other: `Dockerfile`, `docker-compose.yml`, `Makefile`\r
\r
## Ignored Paths\r
\r
Automatically skips:\r
- `node_modules/`, `vendor/`, `venv/`, `.venv/`\r
- `.git/`, `.svn/`\r
- `__pycache__/`, `.pytest_cache/`\r
- Binary files, images, compiled outputs\r
- `package-lock.json`, `yarn.lock`\r
\r
## Remediation Guidance\r
\r
When secrets are found, the skill recommends:\r
1. **Rotate the secret immediately** — assume it's compromised\r
2. **Remove from code** — use environment variables or a secrets manager instead\r
3. **Add to .gitignore** — prevent `.env` and credential files from being committed\r
4. **Use git-filter-repo** — to remove secrets from git history\r
5. **Enable pre-commit hooks** — to catch secrets before they're committed\r
\r
## Requirements\r
- Python 3.7+\r
- No additional dependencies (uses Python standard library)\r
\r
## Entry Point\r
- **CLI:** `secret_scanner.py`\r
\r
## Tags\r
#security #secrets #credentials #api-keys #tokens #passwords #scanner #audit #pre-commit #leak-detection #cloud #aws #azure #gcp #devops\r
Usage Guidance
This skill appears to be a straightforward local secret scanner and is internally consistent. Before installing or running it: (1) review the script yourself if you will run it in sensitive environments (we checked imports and saw only standard-library modules); (2) run it locally (or in an isolated environment) on the target repo — the tool will read files recursively and can surface sensitive data; (3) treat any findings as potentially compromised (rotate keys immediately) and avoid uploading raw reports that contain secret previews to public services; (4) if you plan to let an autonomous agent run this skill, ensure the agent is not configured to post scan results to external endpoints you did not approve. If you want even higher assurance, paste the full secret_scanner.py source into a code reviewer or run it in a sandboxed container to confirm behavior in your environment.
Capability Analysis
Type: OpenClaw Skill Name: credential-scanner Version: 0.1.0 The OpenClaw AgentSkills skill bundle 'credential-scanner' is a legitimate secret scanner. The `SKILL.md` provides clear, transparent instructions for the agent and does not contain any prompt injection attempts. The `secret_scanner.py` code is a well-structured Python script that uses standard libraries to scan files for predefined secret patterns. It does not exhibit any malicious behaviors such as data exfiltration, unauthorized command execution, persistence mechanisms, or obfuscation. Its file access is strictly for its stated purpose of scanning, and it has no external dependencies, mitigating supply chain risks.
Capability Assessment
Purpose & Capability
Name and description (scan repos for leaked secrets) match the included CLI script, README, and SKILL.md. The patterns and file types described are consistent with a secret scanner; nothing is requesting unrelated cloud credentials or external services.
Instruction Scope
SKILL.md instructs the agent/user to run the bundled Python script against a path, output JSON/Markdown, and follow remediation steps. Instructions do not tell the agent to read unrelated system files, environment variables, or to transmit findings to external endpoints.
Install Mechanism
No install spec (instruction-only with a single Python script). The skill claims zero external dependencies and the Python file imports only standard-library modules (os, re, sys, json, argparse, etc.), which matches that claim.
Credentials
The skill declares no required environment variables, no primary credential, and no config paths. The scanner legitimately doesn't need secrets to operate, so no secret-env access is requested or required.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request persistent system-wide privileges or modify other skills' configs. Autonomous invocation is allowed by platform default but there are no additional privileges requested by the skill.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install credential-scanner
  3. After installation, invoke the skill by name or use /credential-scanner
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release
Metadata
Slug credential-scanner
Version 0.1.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Credential Scanner?

Scans files, repos, and directories for leaked secrets — API keys, tokens, passwords, connection strings, private keys, and credentials. Detects 40+ secret p... It is an AI Agent Skill for Claude Code / OpenClaw, with 696 downloads so far.

How do I install Credential Scanner?

Run "/install credential-scanner" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Credential Scanner free?

Yes, Credential Scanner is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Credential Scanner support?

Credential Scanner is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Credential Scanner?

It is built and maintained by nirwan dogra (@nirwandogra); the current version is v0.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments