avifenesh/secrets-scanner
skills/secrets-scanner/SKILL.md
Scan files or text for hardcoded secrets, API keys, tokens, PEMs, passwords, and connection strings. Use when importing external skills, vetting content, or auditing for credential leaks. Keywords: scan, secrets, credentials, api key, token, password, PEM, leak, vet, audit
$ install --global
skillsauthnpx skillsauth add avifenesh/cairn secrets-scannerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 3, 2026, 12:05 PM205.5s1 file scanned
SKILL.md
- name:
- secrets-scanner
- description:
- Scan files or text for hardcoded secrets, API keys, tokens, PEMs, passwords, and connection strings. Use when importing external skills, vetting content, or auditing for credential leaks. Keywords: scan, secrets, credentials, api key, token, password, PEM, leak, vet, audit
- inclusion:
- on-demand
- allowed-tools:
- Read,Glob
- argument-hint:
- [file-path]
Secrets Scanner
Scan a file or set of files for hardcoded secrets and credentials.
Steps
-
Read the target file(s)
- If
$ARGUMENTSis a file path, read it - If
$ARGUMENTSis a glob pattern, expand and read matching files - If no argument, ask the user which file(s) to scan
- If
-
Check content against these secret patterns
| Pattern | Type | Examples | |---------|------|----------| | Well-known token prefixes | vendor_token |
ghp_,ghs_,sk-,xoxb-,glpat-,pypi-,npm_| | AWS access keys | aws_access_key |AKIAfollowed by 16 alphanumeric chars | | Stripe keys | stripe_key |sk_live_,pk_live_,rk_live_| | Twilio SID | twilio_sid |ACfollowed by 32 hex chars | | SendGrid keys | sendgrid_key |SG.followed by base64 segments | | PEM private keys | pem_private_key |-----BEGIN * PRIVATE KEY-----blocks | | Connection strings | connection_string |postgres://user:pass@host,mongodb://...,redis://...| | Labeled credentials | labeled_credential |api_key=...,token: ...,password=...,secret=...| | Bearer tokens | bearer_token |Bearerfollowed by long token string | | High-entropy strings | entropy | Hex strings 32-256 chars, base64-like 64-512 chars | -
Report findings
For each finding, report:
- **[TYPE]** line N: `prefix...suffix` (redacted)Group by severity:
- Critical: Well-known token prefixes, PEM keys, connection strings with passwords
- High: Labeled credentials, vendor-specific keys
- Medium: High-entropy strings, Bearer tokens
-
Summary and remediation
## Scan Results: filename **Status**: CLEAN | N findings detected ### Findings [grouped by severity] ### Remediation - Move secrets to environment variables - Use a `.env` file (excluded from git) - For production: use a secrets manager (AWS SSM, Vault, etc.) - For skills: reference `${ENV_VAR}` instead of hardcoding values
Notes
- This skill is read-only and makes no changes to files
- Findings are redacted in output (only prefix/suffix shown)
- False positives are possible with high-entropy patterns — use judgment
- This scanner also runs automatically whenever any skill is activated — skills containing secrets are redacted before being sent to the LLM
Related Skills
avifenesh/pr-stall-detector
data-ai
VerifiedTrustedCommunity
Detect agent-cairn PRs that have stalled (no activity >=90 min) and classify the failure mode to route to appropriate recovery agent.
4SKILL.mdUpdated Apr 12, 2026
avifenesh/installer
tools
VerifiedTrustedCommunity
Post-install skill adaptation: read a newly installed SKILL.md, fix environment-specific references (paths, accounts, tool names), assign the skill to relevant agent types, and propose an AGENTS.md update. Triggered automatically after cairn.installSkill completes.
4SKILL.mdUpdated Apr 12, 2026
avifenesh/growth-brief
data-ai
VerifiedTrustedCommunity
Monthly self-improvement brief for Cairn. Queries error_patterns, action_exemplars, experiment_windows, and session_journal to synthesize what Cairn learned, where it failed, and 3 concrete proposals for Avi to approve. Run on the 1st of each month. Keywords: growth brief, monthly review, self-improvement, what did cairn learn, how is cairn doing, monthly report
4SKILL.mdUpdated Apr 12, 2026
avifenesh/decision-support
testing
VerifiedTrustedCommunity
Decision support with memory-backed context. Retrieves past decisions, journal history, and relevant facts before answering questions that involve a choice or tradeoff. Keywords: should I, which is better, tradeoff, compare, decide, choose, option, alternative, pros and cons, recommend
4SKILL.mdUpdated Apr 12, 2026