首页龙虾技能列表 › Secret Detection — 技能工具

Secret Detection — 技能工具

v1.0.0

Git hook to detect secrets before commit.

0· 356·1 当前·1 累计
by @derick001 (Derick)·MIT-0
下载技能包
License
MIT-0
最后更新
2026/2/26
安全扫描
VirusTotal
无害
查看报告
OpenClaw
安全
high confidence
The skill's code and instructions are consistent with a local git pre-commit secret scanner; it does not request unrelated credentials or perform network exfiltration, but it prints parts of detected secrets to stdout which can expose sensitive data in logs or terminals.
评估建议
This skill appears to do what it says: a local git pre-commit scanner implemented in Python that requires git and python3. Before installing, review the script (scripts/main.py) yourself. Key points to consider: - The scanner prints matched secrets (it includes a 'secret' field in its JSON output and prints a substring to the console). That can expose sensitive values in terminal history or CI logs — if you use this in CI or shared terminals, prefer redaction or change the script to mask secret...
详细分析 ▾
用途与能力
Name/description, SKILL.md, and the included Python script all implement a git pre-commit secret scanner. Requested binaries (git, python3) are appropriate and used by the script (git used to list staged files; python3 runs the scanner). No unexpected services or credentials are required.
指令范围
Instructions focus on installing a repo-local pre-commit hook and scanning staged or specified files, which matches the code. Minor discrepancies: SKILL.md and README state the script prints the first 20 characters of detected secrets, but the hook-run path prints up to 60 characters of the file content in the commit-blocking output. The script reads file contents and prints matched secret substrings to stdout — expected for identification but a potential privacy/secret-leak risk (terminal, CI logs).
安装机制
No remote downloads or package installs; install simply writes a .git/hooks/pre-commit file that invokes the local script. This is standard for repo-local git hooks and does not introduce high-risk install behavior.
凭证需求
The skill requests no environment variables or external credentials, which is appropriate. However, it prints portions of detected secrets to the console (and JSON output includes the secret in full under 'secret' field), which may expose secrets to terminal history, CI logs, or other observers. Consideration should be given to redaction before printing/storing findings.
持久化与权限
The skill is not always-enabled and does not request system-wide persistence. Its install writes only to the repository's .git/hooks directory; it does not modify other skills or global agent settings.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/2/25

Initial release of git pre-commit secret detection skill. - Scans staged files for common secret patterns (API keys, passwords, tokens) before commit. - Blocks commits if secrets are found and prints detection details with file names and line numbers. - Provides command-line tool to install pre-commit hook and to manually scan files or staged changes. - Outputs a detection report and exit code (1 if secrets found). - Requires git and Python 3.6+; works locally without external services. - Limitations: may have false positives, doesn't scan binaries, must be installed per-repository.

● 无害

安装命令 点击复制

官方npx clawhub@latest install secret-detection
镜像加速npx clawhub@latest install secret-detection --registry https://cn.clawhub-mirror.com

技能文档

What This Does

This skill provides a git pre‑commit hook that scans staged files for common secret patterns (API keys, passwords, tokens) and blocks the commit if any are found. It helps prevent accidental leakage of secrets to public repositories.

Inputs: Git staged files (automatically scanned by the hook) or manual file paths. Outputs: Detection report with line numbers; non‑zero exit code if secrets found.

When To Use

Use this skill when:

  • You work with repositories that may contain sensitive credentials
  • You want to prevent accidental commits of secrets
  • You need a lightweight, local secret scanner for git workflows
  • You want to enforce security checks before pushing to remote

Usage

Installation

# Install the hook in your git repository
./scripts/main.py install

Manual Scan

# Scan specific files
./scripts/main.py scan --file path/to/file
# Scan all staged files (like the hook does)
./scripts/main.py scan --staged

Hook Behavior

  • The hook runs automatically on git commit
  • If secrets are detected, the commit is blocked
  • The script prints the detected secrets with file names and line numbers
  • Exit code 0 = no secrets found; exit code 1 = secrets found

Examples

Example 1: Installing the Hook

$ ./scripts/main.py install
✓ Pre-commit hook installed at .git/hooks/pre-commit
✓ Hook will scan for secrets on every commit

Example 2: Secret Detection Blocking a Commit

$ git commit -m "Add config"
⚠️  Secret detected in config.yaml line 12: AWS_ACCESS_KEY_ID=AKIA...
⚠️  Secret detected in .env line 3: PASSWORD=secret123
✗ Commit blocked: 2 secrets found

Example 3: Manual Scan

$ ./scripts/main.py scan --staged
Scanning 3 staged files...
✓ config.yaml: clean
✓ .env: clean  
✓ src/main.py: clean
✓ No secrets found

Requirements

  • Git (for hook installation)
  • Python 3.6+ (for the scanner)
  • No external API keys or services needed

Limitations

  • Only detects common secret patterns (AWS keys, GitHub tokens, passwords, etc.)
  • May produce false positives (e.g., long random strings that aren't actually secrets)
  • Does not scan binary files
  • Requires manual installation per repository
  • Does not replace comprehensive secret‑management solutions
  • Prints first 20 characters of detected secrets to console for identification purposes
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务