ariffazil/Secret Safety Scan
skills/secret-safety-scan/SKILL.md
Scan a repo or workspace for exposed secrets, tokens, keys, and credentials. Produce a findings report with remediation steps.
business
Updated May 27, 2026
$ install --global
skillsauthnpx skillsauth add ariffazil/openclaw-workspace Secret Safety ScanInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 27, 2026, 3:14 AM151.3s1 file scanned
SKILL.md
- id:
- secret-safety-scan
- name:
- Secret Safety Scan
- version:
- 1.0.0
- description:
- Scan a repo or workspace for exposed secrets, tokens, keys, and credentials. Produce a findings report with remediation steps.
- owner:
- AAA
- risk_tier:
- high
- physics:
- false
- math:
- false
- language:
- true
- skills:
- []
- servers:
- []
- schema_version:
- 1
- artifact_hash:
- pending
Secret Safety Scan
Overview
Secrets exposed in repos are irreversible once pushed. This skill scans for patterns that look like credentials and flags them before they leak.
When to Use
- Before any
git commit - Before any
git push - After importing external code
- Quarterly security sweep
Patterns to Detect
- AWS:
AKIA[0-9A-Z]{16} - GitHub:
ghp_[a-zA-Z0-9]{36} - OpenAI:
sk-[a-zA-Z0-9]{48} - Generic:
password=,token=,secret=,api_key= - Private keys:
-----BEGIN <ALGO> PRIVATE KEY----- .envfiles with real values (not.env.example)
Procedure
Step 1: File Scan
Search for patterns in all text files. Exclude:
node_modules/,__pycache__/,.git/.env.example,.env.template- Test fixtures with fake values (documented)
Step 2: Git History Scan
Check git log -p for secrets in history. Even if removed from current HEAD, they may exist in history.
Step 3: Evaluate Findings
- False positive → document why
- Real secret → immediate escalation
- Template/example → verify it's fake
Forbidden Actions
- NEVER commit secrets to fix them — use
git filter-repoor BFG - NEVER post findings in public channels
- NEVER dismiss findings without verification
Escalation Path
| Condition | Escalate To | |-----------|-------------| | Live secret found | Arif + security.agent — IMMEDIATE | | Historical secret | ops.agent — rotation needed | | False positive pattern | AAA agent — update scan rules |
Skill version 1.0.0 — AAA Skill Library
Related Skills
ariffazil/AAA Agentic Governance (AAA-Cockpit, canonical)
development
VerifiedTrustedCommunity
Governed intelligence skill for AAA as the abstraction, attestation, and abduction control plane across arifOS, APEX, A-FORGE, GEOX, WEALTH, WELL, and the ariffazil profile repository. Use when the user asks to explain or design AAA, route agentic work, reduce chaos/entropy in an arifOS federation task, create AREP/task declarations, classify risk, plan multi-repo changes, review governance boundaries, or translate human intent into evidence-backed, authority-safe, recursively agentic workflows. Provides deterministic F1-F13 floor checking, bounded abduction, and FederationReceipt composition.
SKILL.mdUpdated Jun 6, 2026
ariffazil/skill-trigger-linter
development
VerifiedTrustedCommunity
Check every skill’s “use when” and “do not use when” clauses for collisions, missing negatives, and vague verbs like “help,” “assist,” or “improve.” Load when linting, reviewing, or validating trigger boundaries.
SKILL.mdUpdated May 27, 2026
ariffazil/skill-creator
development
VerifiedTrustedCommunity
Bootstrap, design, and package new skills. Load when capturing user intent for a new skill or drafting its initial instruction framework.
SKILL.mdUpdated May 27, 2026
ariffazil/Federation Service Health Triage
content-media
VerifiedTrustedCommunity
Diagnose which federation services are up, down, or drifting. Produce a prioritized remediation plan.
SKILL.mdUpdated May 27, 2026