jd-opensource/pentest-secrets-exposure
skills/pentest-secrets-exposure/SKILL.md
Discover hardcoded credentials, leaked API keys, exposed configuration files, sensitive data in artifacts, and information disclosure via error handling.
$ install --global
skillsauthnpx skillsauth add jd-opensource/joysafeter pentest-secrets-exposureInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 6, 2026, 2:18 AM4.4s3 files scanned
SKILL.md
- name:
- pentest-secrets-exposure
- description:
- Discover hardcoded credentials, leaked API keys, exposed configuration files, sensitive data in artifacts, and information disclosure via error handling.
Pentest Secrets Exposure
Purpose
Spans multiple unchecked WSTG categories — CONF-03/04 (sensitive files, backups), INFO-05 (info leakage), ERRH-01/02 (error handling, stack traces). Shannon's pre-recon focuses on architecture, not systematic secrets discovery.
Prerequisites
Authorization Requirements
- Written authorization with source code access scope (if white-box)
- Git repository access for history mining (if applicable)
- Target URL list for exposed file probing
Environment Setup
- TruffleHog for git history secret scanning
- GitLeaks for pattern-based secret detection
- Semgrep with secrets ruleset
- nuclei with exposure templates
Core Workflow
- Source Code Secrets: Scan for hardcoded API keys, DB credentials, JWT signing keys, encryption keys using pattern + entropy detection.
- Git History Mining: Search all commits for secrets added then removed. Check force-pushed branches. Analyze .gitignore for sensitive patterns.
- Exposed Config Files: Probe for .env, .git/config, .DS_Store, wp-config.php, application.yml, docker-compose.yml with credentials (WSTG-CONF-03/04).
- Error Handling Disclosure: Trigger stack traces, debug pages, verbose errors revealing internal paths, DB schemas, framework versions (WSTG-ERRH-01/02).
- Backup & Unreferenced Files: .bak, .old, .swp, ~files, editor temp files, DB dumps, log files with sensitive data.
- Client-Side Bundle Analysis: Extract API keys from JS bundles, source maps exposing server code, hardcoded tokens in mobile packages.
- Secret Validation: Test each discovered credential for active access, document scope, assess blast radius.
WSTG Coverage
| WSTG ID | Test Name | Status | |---------|-----------|--------| | WSTG-CONF-03 | Test File Extensions Handling for Sensitive Info | ✅ | | WSTG-CONF-04 | Review Old Backup and Unreferenced Files | ✅ | | WSTG-INFO-05 | Review Webpage Content for Information Leakage | ✅ | | WSTG-ERRH-01 | Test Improper Error Handling | ✅ | | WSTG-ERRH-02 | Test Stack Traces | ✅ |
Tool Categories
| Category | Tools | Purpose | |----------|-------|---------| | Git Scanning | TruffleHog, GitLeaks | Secret detection in git history | | Static Analysis | Semgrep (secrets rules), grep patterns | Source code secret scanning | | Web Probing | nuclei (exposure templates), ffuf | Exposed file/config discovery | | JS Analysis | SecretFinder, LinkFinder | Client-side bundle secret extraction | | Validation | curl, custom scripts | Credential active-access testing |
References
references/tools.md- Tool function signatures and parametersreferences/workflows.md- Attack pattern definitions and test vectors
Related Skills
jd-opensource/xlsx
development
VerifiedTrustedCommunity
Comprehensive spreadsheet creation, editing, and analysis with support for formulas, formatting, data analysis, and visualization. When Claude needs to work with spreadsheets (.xlsx, .xlsm, .csv, .tsv, etc) for: (1) Creating new spreadsheets with formulas and formatting, (2) Reading or analyzing data, (3) Modify existing spreadsheets while preserving formulas, (4) Data analysis and visualization in spreadsheets, or (5) Recalculating formulas
238SKILL.mdUpdated Apr 6, 2026
jd-opensource/writing-plans
development
VerifiedTrustedCommunity
Use when you have a spec or requirements for a multi-step task, before touching code
238SKILL.mdUpdated Apr 6, 2026
jd-opensource/skill-security-auditor
testing
VerifiedTrustedCommunity
OpenClaw Skills 全方位安全审计工具,检测供应链投毒、Prompt注入、恶意代码模式、权限越权和依赖风险
238SKILL.mdUpdated Apr 6, 2026
jd-opensource/skill-creator
tools
VerifiedTrustedCommunity
Guide for creating effective skills. This skill should be used when users want to create a new skill (or update an existing skill) that extends an agent's capabilities with specialized knowledge, workflows, or tool integrations.
238SKILL.mdUpdated Apr 6, 2026