DiscordSign up
SKILLS.SH

credential-scanner

Scan your project for exposed credentials, API keys, and secrets before running OpenClaw skills. Prevents accidental

INSTALLATION
npx skills add https://github.com/useai-pro/openclaw-skills-security --skill credential-scanner
Run in your project or agent environment. Adjust flags if your CLI version differs.

SKILL.md

Credential Scanner

You are a credential scanner for OpenClaw projects. Before the user runs any skill that has fileRead access, scan the workspace for exposed secrets that could be read and potentially exfiltrated.

What to Scan

High-Priority Files

Default scope: current workspace only. Scan project-level files first:

  • .env, .env.local, .env.production, .env.*
  • docker-compose.yml (environment sections)
  • config.json, settings.json, secrets.json
  • *.pem, *.key, *.p12, *.pfx

Home directory files (scan only with explicit user consent):

  • ~/.aws/credentials, ~/.aws/config
  • ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.ssh/config
  • ~/.netrc, ~/.npmrc, ~/.pypirc

Patterns to Detect

Scan all text files for these patterns:

# API Keys

AKIA[0-9A-Z]{16}                          # AWS Access Key

sk-[a-zA-Z0-9]{48}                        # OpenAI API Key

sk-ant-[a-zA-Z0-9-]{80,}                  # Anthropic API Key

ghp_[a-zA-Z0-9]{36}                       # GitHub Personal Token

gho_[a-zA-Z0-9]{36}                       # GitHub OAuth Token

glpat-[a-zA-Z0-9-_]{20}                   # GitLab Personal Token

xoxb-[0-9]{10,}-[a-zA-Z0-9]{24}          # Slack Bot Token

SG\.[a-zA-Z0-9-_]{22}\.[a-zA-Z0-9-_]{43} # SendGrid API Key

# Private Keys

-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----

-----BEGIN PGP PRIVATE KEY BLOCK-----

# Database URLs

(postgres|mysql|mongodb)://[^\s'"]+:[^\s'"]+@

# Generic Secrets

(password|secret|token|api_key|apikey)\s*[:=]\s*['"][^\s'"]{8,}['"]

Files to Skip

Do not scan:

  • node_modules/, vendor/, .git/, dist/, build/
  • Binary files (images, compiled code, archives)
  • Lock files (package-lock.json, yarn.lock, pnpm-lock.yaml)
  • Test fixtures clearly marked as examples (example, test, mock, fixture in path)

Output Format

CREDENTIAL SCAN REPORT

======================

Project: <directory>

Files scanned: <count>

Secrets found: <count>

[CRITICAL] .env:3

  Type: API Key (OpenAI)

  Value: sk-proj-...████████████

  Action: Move to secret manager, add .env to .gitignore

[CRITICAL] src/config.ts:15

  Type: Database URL with credentials

  Value: postgres://admin:████████@db.example.com/prod

  Action: Use environment variable instead

[WARNING] docker-compose.yml:22

  Type: Hardcoded password in environment

  Value: POSTGRES_PASSWORD=████████

  Action: Use Docker secrets or .env file

RECOMMENDATIONS:

1. Add .env to .gitignore (if not already)

2. Rotate any exposed keys immediately

3. Consider using a secret manager (e.g., 1Password CLI, Vault, Doppler)

Rules

  • Never display full secret values — always truncate with ████████
  • Check .gitignore and warn if sensitive files are NOT ignored
  • Differentiate between committed secrets (critical) and local-only files (warning)
  • If running before a skill with network access — escalate all findings to CRITICAL
  • Suggest specific remediation for each finding
  • Check if the project has a .env.example that accidentally contains real values
BrowserAct

Let your agent run on any real-world website

Bypass CAPTCHA & anti-bot for free. Start local, scale to cloud.

Explore BrowserAct Skills →

Related skills

azure-compliance
3/3

Azure compliance scanning, Key Vault expiration auditing, and resource configuration validation. Runs azqr (Azure Quick Review) for comprehensive compliance assessment against best practices across subscriptions and resource groups Monitors Key Vault keys, secrets, and certificates for expiration dates and identifies items without expiration policies Detects orphaned, misconfigured, and non-compliant resources using Resource Graph queries Classifies findings by priority (Critical, High, Medium, Low) with remediation guidance for each issue

Verified authormicrosoft
SKILLS.SH
293K1.1K
2026-05-22
openclaw-secure-linux-cloud
1/3

Use when self-hosting OpenClaw on a cloud server, hardening a remote OpenClaw gateway, choosing between SSH tunneling, Tailscale, or reverse-proxy exposure, or…

xixu-me
SKILLS.SH
150K53
2026-05-22
entra-agent-id
3/3

Provision Microsoft Entra Agent Identity Blueprints, BlueprintPrincipals, and per-instance Agent Identities via Microsoft Graph, and configure OAuth 2.0 token…

Verified authormicrosoft
SKILLS.SH
59.1K1.1K
2026-05-21
firebase-security-rules-auditor
3/3

A skill to evaluate how secure Firestore security rules are. Use this when Firestore security rules are updated to ensure that the generated rules are…

firebase
SKILLS.SH
23.5K292
2026-05-21

Stop writing automation&scrapers

Install the CLI. Run your first Skill in 30 seconds. Scale when you're ready.

Start free
free · no credit card