aws-secrets-scanner

What This Skill Does

The aws-secrets-scanner skill is a dedicated security analysis tool designed for DevOps engineers, developers, and cloud architects to proactively identify hardcoded credentials and configuration weaknesses. Unlike automated scanners that run in a CI pipeline, this AI-powered skill acts as an interactive security auditor. You provide it with Infrastructure as Code (IaC) snippets, configuration files, or exported environment variable metadata from your AWS Lambda or ECS resources, and it analyzes them for high-entropy patterns, leaked API keys, and insecure configuration practices.

It detects a wide array of sensitive data, including AWS Access Key IDs, private SSH keys, database connection strings, JWT signing keys, and third-party service provider tokens (e.g., Stripe, Twilio). Beyond simple pattern matching, the skill provides a risk assessment, calculates the potential blast radius, and generates a concrete migration roadmap to move secrets into AWS Secrets Manager or Parameter Store.

Installation

To integrate this skill into your OpenClaw environment, execute the following command in your terminal: clawhub install openclaw/skills/skills/anmolnagpal/secrets-scanner

Use Cases

• Pre-deployment Audits: Review Terraform or CloudFormation manifests to ensure no secrets are stored as plaintext default variables before running terraform apply.
• Legacy System Hardening: Scan existing Lambda or ECS task environment configurations to identify secrets that were previously injected via console but should be managed via Secrets Manager.
• Incident Response: Quickly audit codebase snippets during a suspected credential leak to determine if a specific key was present in the manifest.
• Developer Education: Use the scanner to generate personalized checklists for team members on how to avoid secret sprawl in future commits.

Example Prompts

1. "I am pasting my main.tf file. Please scan it for any hardcoded AWS keys or database passwords and provide a remediation plan using Secrets Manager."
2. "Here is the JSON output from my Lambda configuration: [JSON]. Can you check if any of these environment variable keys suggest that actual secrets are being stored as plaintext values?"
3. "I suspect I might have accidentally committed an API key to this repo. Can you give me the exact git-filter-repo commands to scrub it from my commit history?"

Tips & Limitations

• Data Privacy: This skill is instruction-only. It does not connect to your AWS account. You must copy and paste your configuration data into the chat. Always redact actual secret values before pasting to maintain your security posture.
• Context matters: The more context you provide (e.g., which tool generated the config), the more accurate the blast radius assessment will be.
• False Positives: High-entropy strings are sometimes matched that aren't secrets; use the scanner as a second opinion, not the final authority.
• Remediation: While the skill provides code snippets for migration, always test your new secrets-retrieval logic in a non-production environment first.