kissrosecicd-hub/secret-guard
.agents/skills/pr-prep-secret-guard/SKILL.md
Mandatory secret scanning before any git operation. MUST trigger automatically before git commit, git push, git add, PR creation, or any commit-related skill. Scans staged files for API keys, tokens, credentials, and other secrets to prevent accidental exposure in version control.
$ install --global
skillsauthnpx skillsauth add kissrosecicd-hub/agents-evolution secret-guardInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 11:32 AM8.6s1 file scanned
SKILL.md
- name:
- secret-guard
- description:
- Mandatory secret scanning before any git operation. MUST trigger automatically before git commit, git push, git add, PR creation, or any commit-related skill. Scans staged files for API keys, tokens, credentials, and other secrets to prevent accidental exposure in version control.
- context:
- fork
- model:
- claude-sonnet-4-5
Secret Guard
MANDATORY: Run before ANY git commit, push, add, or PR operation.
Scan Commands
Run these before proceeding with any git operation:
# Check for secret keywords in staged changes (skip removed lines)
git diff --cached | grep -iE '(client_secret|password|api[_-]?key|secret_key|private_key|token|bearer|credential)' | grep -v "^-" | head -20
# Check for long credential-like strings (base64, hex, Azure secrets with ~)
git diff --cached | grep -oE '[a-zA-Z0-9+/~]{35,}' | head -10
# Check config files specifically for secrets
git diff --cached -- '*.json' '*.yaml' '*.yml' | grep -iE '(secret|password|key|token)' | grep -v "^-" | head -10
# List staged files
git diff --cached --name-only
High-Risk Files
STOP and warn if any of these are staged:
.env,.env.*— Never commit.claude/settings.json— Often contains embedded secrets*.pem,*.key,*.p12,*.pfx— Private keyscredentials.json,secrets.json,auth*.json,*token*.json**/config/*.json— May contain hardcoded credentials
Secret Patterns
| Pattern | Identifier |
|----------------------|-----------------------------------------|
| Azure AD secrets | Contains ~ (e.g., Pl~8Q~abc...) |
| AWS Access Keys | Starts with AKIA |
| GitHub tokens | Starts with ghp_, gho_, ghs_ |
| API keys | Prefixes: sk-, pk-, api_ |
| JWT tokens | Starts with eyJ |
| Base64 secrets | 40+ alphanumeric chars |
If Secrets Detected
BLOCK the git operation immediately.
Response format:
🚨 SECRET DETECTED - BLOCKING COMMIT
Found in: <filename>
Pattern: <what was found>
REQUIRED ACTIONS:
1. Remove the secret from the file
2. Use environment variables instead
3. If already committed: rotate the credential immediately
Proceed with commit? (only after user confirms false positive)
Safe to Proceed When
- No secret keywords in staged diffs
- No high-risk files staged (or user explicitly reviewed)
- No long random strings resembling credentials
- User confirmed any flagged items are false positives
Post-Commit Reminder
After successful commit without pre-commit hooks installed:
"Consider adding a pre-commit hook for automatic secret scanning."
Related Skills
kissrosecicd-hub/v2raya-linux-basic
tools
VerifiedTrustedCommunity
KISS reference skill for v2rayA on Arch/Ubuntu/Fedora with TUN, RoutingA, DoH DNS and Outline key import.
26SKILL.mdUpdated Apr 16, 2026
kissrosecicd-hub/supply-chain-risk-auditor
testing
VerifiedTrustedCommunity
Identifies dependencies at heightened risk of exploitation or takeover. Use when assessing supply chain attack surface, evaluating dependency health, or scoping security engagements.
26SKILL.mdUpdated Apr 16, 2026
kissrosecicd-hub/semgrep
development
VerifiedTrustedCommunity
Run Semgrep static analysis scan on a codebase using parallel subagents. Supports two scan modes — "run all" (full ruleset coverage) and "important only" (high-confidence security vulnerabilities). Automatically detects and uses Semgrep Pro for cross-file taint analysis when available. Use when asked to scan code for vulnerabilities, run a security audit with Semgrep, find bugs, or perform static analysis. Spawns parallel workers for multi-language codebases.
26SKILL.mdUpdated Apr 16, 2026
kissrosecicd-hub/sharp-edges
development
VerifiedTrustedCommunity
Identifies error-prone APIs, dangerous configurations, and footgun designs that enable security mistakes. Use when reviewing API designs, configuration schemas, cryptographic library ergonomics, or evaluating whether code follows 'secure by default' and 'pit of success' principles. Triggers: footgun, misuse-resistant, secure defaults, API usability, dangerous configuration.
26SKILL.mdUpdated Apr 16, 2026