igorwarzocha/security-secrets
agents/security-reviewer/.opencode/skill/security-secrets/SKILL.md
Review secret detection patterns and scanning workflows. Use for identifying high-signal secrets like AWS keys, GitHub tokens, and DB passwords. Use proactively during all security audits to scan code and history. Examples: - user: "Scan for secrets in this repo" → run high-signal rg patterns and gitleaks - user: "Check for AWS keys" → scan for AKIA patterns and server-side exposure - user: "Audit my .env files" → ensure secrets are gitignored and not committed - user: "Verify secret redaction" → check that reported secrets follow 4+4 format - user: "Scan build artifacts for keys" → search dist/ and build/ for secret patterns
$ install --global
skillsauthnpx skillsauth add igorwarzocha/opencode-workflows security-secretsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 8:06 PM5.3s3 files scanned
SKILL.md
- name:
- security-secrets
- description:
- |-
- - user:
- Scan build artifacts for keys" → search dist/ and build/ for secret patterns
<overview>
High-signal regex patterns for detecting secrets in codebases.
</overview> <patterns>High-Signal Regex Patterns
| Secret Type | Pattern | Notes |
|-------------|---------|-------|
| AWS Access Key | AKIA[0-9A-Z]{16} | Always 20 chars, starts AKIA |
| AWS Secret | (?i)aws(.{0,20})?['"][0-9a-zA-Z/+]{40}['"] | 40 chars base64-ish |
| Google API Key | AIza[0-9A-Za-z\-_]{35} | 39 chars total |
| Google OAuth | [0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com | Client ID |
| Google Service Account | "type":\s*"service_account" | In JSON files |
| GitHub Token | gh[pousr]_[A-Za-z0-9_]{36,} | ghp_/gho_/ghu_/ghs_/ghr_ |
| GitHub PAT (fine-grained) | github_pat_[A-Za-z0-9_]{22,} | Newer format |
| GitLab Token | glpat-[A-Za-z0-9\-]{20,} | Personal access token |
| Stripe Secret | sk_(live|test)_[0-9a-zA-Z]{24,} | Secret key |
| Stripe Restricted | rk_(live|test)_[0-9a-zA-Z]{24,} | Restricted key |
| Stripe Publishable | pk_(live|test)_[0-9a-zA-Z]{24,} | Public key |
| Slack Bot Token | xoxb-[A-Za-z0-9-]+ | Bot token |
| Slack User Token | xoxp-[A-Za-z0-9-]+ | User token |
| Slack Workflow Token | xwfp-[A-Za-z0-9-]+ | Workflow token |
| Slack App Token | xapp-[A-Za-z0-9-]+ | App-level token |
| Slack Webhook | https://hooks\.slack\.com/services/T[A-Z0-9]+/B[A-Z0-9]+/[a-zA-Z0-9]+ | |
| Discord Token | [MN][A-Za-z\d]{23,}\.[\w-]{6}\.[\w-]{27} | Bot token |
| Discord Webhook | https://discord\.com/api/webhooks/[0-9]+/[A-Za-z0-9_-]+ | |
| OpenAI Key | sk-[A-Za-z0-9]{48} | API key |
| Anthropic Key | sk-ant-[A-Za-z0-9\-]{32,} | API key |
| Twilio | SK[a-z0-9]{32} | API key SID |
| SendGrid | SG\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9]{43} | API key |
| Mailgun | key-[0-9a-zA-Z]{32} | API key |
| Mailchimp | [a-f0-9]{32}-us[0-9]{1,2} | API key |
| Firebase | (?i)firebase[a-z0-9\-]+\.firebaseio\.com | Database URL |
| Supabase | eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*\.[A-Za-z0-9_-]* | JWT (check context) |
| Heroku | [hH]eroku.*[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12} | API key |
| NPM Token | npm_[A-Za-z0-9]{36} | Publish token |
| PyPI Token | pypi-[A-Za-z0-9_-]{50,} | Upload token |
| Private Key | -----BEGIN (RSA|EC|DSA|OPENSSH|PGP) PRIVATE KEY | Any private key |
| Database URL | (?i)(postgres|mysql|mongodb|redis|amqp)://[^:]+:[^@]+@ | With password |
| Password in URL | [a-zA-Z]{3,15}://[^/\\:@]+:[^/\\:@]+@.{1,100} | Basic auth |
| JWT Secret | (?i)(jwt[_-]?secret|token[_-]?secret)['"]?\s*[:=]\s*['"][^'"]+['"] | Config files |
| Generic Secret | (?i)(password|passwd|secret|api_key|apikey|access_token|auth_token)['"]?\s*[:=]\s*['"][^'"]{8,}['"] | Catch-all |
CLI Scanning Commands
# Quick grep scan (fast, high signal)
rg -n "(AKIA[0-9A-Z]{16}|sk_(live|test)_|rk_(live|test)_|pk_(live|test)_|xox[baprs]-|xapp-|xwfp-|gh[pousr]_|github_pat_)" .
rg -n "BEGIN (RSA|EC|OPENSSH|DSA|PGP) PRIVATE KEY" .
rg -n "(?i)(api[_-]?key|secret|token|password)\s*[:=]\s*['\"][^'\"]{8,}" .
# Dedicated scanners (thorough)
gitleaks detect --source . --redact --no-git
semgrep scan --config p/secrets --error
trufflehog filesystem . --only-verified
<priority_files>
Files to Prioritize
| File Pattern | Risk Level | Why |
|--------------|------------|-----|
| .env* | CRITICAL | Often contains all secrets |
| *config*.js/ts/json | HIGH | App configuration |
| *secret*, *credential* | HIGH | Named suspiciously |
| docker-compose*.yml | HIGH | DB passwords, service creds |
| .github/workflows/*.yml | HIGH | CI/CD secrets |
| *test*, *spec*, *fixture* | MEDIUM | Test data with real creds |
| *.pem, *.key, *.p12 | CRITICAL | Private keys |
</priority_files>
<rules>Redaction Format
When reporting secrets, MUST always redact:
Original: AKIAIOSFODNN7EXAMPLE
Redacted: AKIA****...****MPLE
Original: sk_test_XXXXYYYYZZZZ11112222
Redacted: sk_****...****2222
Show first 4 + last 4 characters only. MUST instruct immediate rotation.
</rules>Related Skills
igorwarzocha/writing
development
VerifiedTrustedCommunity
Handle structured co-authoring of professional documentation. Use for proposals, technical specs, and RFCs. Use proactively when a collaborative drafting process (Gathering -> Refinement -> Testing) is needed. Examples: - user: "Draft a technical RFC for the new API" -> follow Stage 1 context gathering - user: "Refine the introduction of this proposal" -> use iterative surgical edits - user: "Test if this document is clear for readers" -> run reader testing workflow
100SKILL.mdUpdated Apr 5, 2026
igorwarzocha/word
development
VerifiedTrustedCommunity
Handle Word document (.docx) creation, editing, and analysis with high-fidelity visual review. Use for professional reports, legal documents, and tracked changes. Use proactively when quality and precise formatting are critical. Examples: - user: "Create a professional report in Word" -> use python-docx with render loops - user: "Draft a legal contract with redlines" -> use ooxml redlining workflow - user: "Extract text from this DOCX while preserving structure" -> use pandoc markdown conversion
100SKILL.mdUpdated Apr 5, 2026
igorwarzocha/themes
testing
VerifiedTrustedCommunity
Apply professional visual themes to documents and presentations. Use for styling artifacts with consistent color palettes and font pairings. Use proactively to quickly improve the aesthetic quality of deliverables. Examples: - user: "Apply a modern theme to this deck" -> use Modern Minimalist theme - user: "I want a tech aesthetic for this doc" -> apply Tech Innovation theme - user: "Create a custom theme for my project" -> generate new color/font specification
100SKILL.mdUpdated Apr 5, 2026
igorwarzocha/skill-creator
tools
VerifiedTrustedCommunity
Guide for creating effective opencode skills. Use for creating or updating skills that extend agent capabilities with specialized knowledge, workflows, or tool integrations. Examples: - user: "Create a skill for git workflows" → define SKILL.md with instructions and examples - user: "Add examples to my skill" → follow the user: "query" → action pattern - user: "Update skill description" → use literal block scalar and trigger contexts - user: "Structure a complex skill" → organize with scripts/ and references/ directories - user: "Validate my skill" → check structure, frontmatter, and discovery triggers
100SKILL.mdUpdated Apr 5, 2026