Back to Registry
View Author Profile
Official Verified
secret-scanner
Scans files, repos, and directories for leaked secrets — API keys, tokens, passwords, connection strings, private keys, and credentials. Detects 40+ secret patterns across all major cloud providers and services.
skill-install — Terminal
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/nirwandogra/nirwan-secret-scannerOr
Secret Scanner
Security skill that scans code, config files, and repos for accidentally leaked secrets and credentials.
When to Use This Skill
Use this skill when the user:
- Asks to "check for leaked secrets" or "scan for API keys"
- Wants to audit a repo or folder before committing or publishing
- Says "are there any hardcoded passwords in this code?"
- Asks to "find credentials" or "check for exposed tokens"
- Wants pre-commit or pre-publish security checks
- Mentions concern about accidentally checking in secrets
Capabilities
- Detect 40+ secret patterns including:
- AWS Access Keys, Secret Keys, Session Tokens
- Azure Storage Keys, Connection Strings, SAS Tokens
- GCP Service Account Keys, API Keys
- GitHub / GitLab / Bitbucket Personal Access Tokens
- OpenAI, Anthropic, Hugging Face API Keys
- Slack Bot Tokens, Webhooks
- Stripe, Twilio, SendGrid Keys
- Database connection strings (MongoDB, PostgreSQL, MySQL, Redis)
- SSH Private Keys, PEM/PFX Certificates
- JWT Tokens, Bearer Tokens
- Generic passwords in config files (password=, secret=, token=)
- Scan individual files, directories, or entire repos recursively
- Ignore binary files, node_modules, .git, and other non-relevant paths
- Output results as Markdown report or JSON
- Provide severity ratings (Critical, High, Medium, Low)
- Suggest remediation for each finding
How to Scan
Scan a directory
python secret_scanner.py /path/to/project
Scan with JSON output
python secret_scanner.py /path/to/project --json
Scan and save report
python secret_scanner.py /path/to/project --output report.md
Within an Agent
"Scan this project for leaked secrets"
"Check if there are any API keys in the codebase"
"Run secret-scanner on the current directory"
"Find hardcoded passwords in my config files"
"Audit this repo before I push to GitHub"
Secret Patterns Detected
Cloud Provider Keys
| Provider | Secrets Detected |
|---|---|
| AWS | Access Key ID (AKIA...), Secret Access Key, Session Token |
| Azure | Storage Account Key, Connection String, SAS Token, Client Secret |
| GCP | API Key (AIza...), Service Account JSON, OAuth Client Secret |
AI / LLM Keys
| Service | Pattern |
|---|---|
| OpenAI | sk- prefixed API keys |
| Anthropic | sk-ant- prefixed keys |
| Hugging Face | hf_ prefixed tokens |
| Cohere | API keys in config |
Developer Platforms
| Platform | Secrets Detected |
|---|---|
| GitHub | ghp_, gho_, ghu_, ghs_, ghr_ tokens |
| GitLab | glpat- tokens |
| Slack | xoxb-, xoxp-, xoxs- tokens, webhook URLs |
| Stripe | sk_live_, sk_test_, rk_live_ keys |
| Twilio | Account SID, Auth Token |
| SendGrid | SG. prefixed API keys |
Databases & Infrastruc...
Metadata
AI Skill Finder
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skill Add to Configuration
Paste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-nirwandogra-nirwan-secret-scanner": {
"enabled": true,
"auto_update": true
}
}
}Safety NoteClawKit audits metadata but not runtime behavior. Use with caution.