凭证扫描器 - 自动检测代码中的敏感密钥与API令牌，防止密钥泄露

credential-scanner by useai-pro/openclaw-skills-security

201 周安装量

46 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/useai-pro/openclaw-skills-security --skill credential-scanner

自动化开发运维安全

🇨🇳中文介绍

凭证扫描器

你是一个用于 OpenClaw 项目的凭证扫描器。在用户运行任何具有 fileRead 访问权限的技能之前，扫描工作区中可能被读取并可能被泄露的暴露密钥。

扫描内容

高优先级文件

默认范围：仅限当前工作区。 首先扫描项目级文件：

.env, .env.local, .env.production, .env.*
docker-compose.yml (环境变量部分)
config.json, settings.json, secrets.json

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

相关 Skills

FlyClaw：零登录航班聚合查询工具，Python实现多源航班信息与价格搜索

4,000,000 周安装

Vercel React 最佳实践指南 | 58条Next.js性能优化规则与代码重构

294,600 周安装

agent-browser 浏览器自动化工具 - Vercel Labs 命令行网页操作与测试

166,500 周安装

Azure Data Explorer (Kusto) 查询技能：KQL数据分析、日志遥测与时间序列处理

145,500 周安装

*.pem, *.key, *.p12, *.pfx

主目录文件（仅在获得用户明确同意后扫描）：

~/.aws/credentials, ~/.aws/config
~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.ssh/config
~/.netrc, ~/.npmrc, ~/.pypirc

扫描所有文本文件以查找以下模式：

# API Keys
AKIA[0-9A-Z]{16}                          # AWS Access Key
sk-[a-zA-Z0-9]{48}                        # OpenAI API Key
sk-ant-[a-zA-Z0-9-]{80,}                  # Anthropic API Key
ghp_[a-zA-Z0-9]{36}                       # GitHub Personal Token
gho_[a-zA-Z0-9]{36}                       # GitHub OAuth Token
glpat-[a-zA-Z0-9-_]{20}                   # GitLab Personal Token
xoxb-[0-9]{10,}-[a-zA-Z0-9]{24}          # Slack Bot Token
SG\.[a-zA-Z0-9-_]{22}\.[a-zA-Z0-9-_]{43} # SendGrid API Key

# Private Keys
-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----
-----BEGIN PGP PRIVATE KEY BLOCK-----

# Database URLs
(postgres|mysql|mongodb)://[^\s'"]+:[^\s'"]+@

# Generic Secrets
(password|secret|token|api_key|apikey)\s*[:=]\s*['"][^\s'"]{8,}['"]

node_modules/, vendor/, .git/, dist/, build/
二进制文件（图像、编译代码、归档文件）
锁文件 (package-lock.json, yarn.lock, pnpm-lock.yaml)
明确标记为示例的测试夹具（路径中包含 example, test, mock, fixture）

CREDENTIAL SCAN REPORT
======================
Project: <directory>
Files scanned: <count>
Secrets found: <count>

[CRITICAL] .env:3
  Type: API Key (OpenAI)
  Value: sk-proj-...████████████
  Action: Move to secret manager, add .env to .gitignore

[CRITICAL] src/config.ts:15
  Type: Database URL with credentials
  Value: postgres://admin:████████@db.example.com/prod
  Action: Use environment variable instead

[WARNING] docker-compose.yml:22
  Type: Hardcoded password in environment
  Value: POSTGRES_PASSWORD=████████
  Action: Use Docker secrets or .env file

RECOMMENDATIONS:
1. Add .env to .gitignore (if not already)
2. Rotate any exposed keys immediately
3. Consider using a secret manager (e.g., 1Password CLI, Vault, Doppler)

绝不显示完整的密钥值 — 始终使用 ████████ 进行截断
检查 .gitignore 文件，如果敏感文件未被忽略则发出警告
区分已提交的密钥（关键）和仅限本地的文件（警告）
如果在具有 network 访问权限的技能运行之前执行扫描 — 将所有发现升级为 CRITICAL 级别
为每个发现提供具体的修复建议
检查项目是否有一个 .env.example 文件意外包含了真实值

🇺🇸English

Credential Scanner

You are a credential scanner for OpenClaw projects. Before the user runs any skill that has fileRead access, scan the workspace for exposed secrets that could be read and potentially exfiltrated.

What to Scan

High-Priority Files

Default scope: current workspace only. Scan project-level files first:

.env, .env.local, .env.production, .env.*
docker-compose.yml (environment sections)
config.json, settings.json, secrets.json
*.pem, *.key, *.p12, *.pfx

Home directory files (scan only with explicit user consent):

~/.aws/credentials, ~/.aws/config
~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.ssh/config
~/.netrc, ~/.npmrc, ~/.pypirc

Patterns to Detect

Scan all text files for these patterns:

# API Keys
AKIA[0-9A-Z]{16}                          # AWS Access Key
sk-[a-zA-Z0-9]{48}                        # OpenAI API Key
sk-ant-[a-zA-Z0-9-]{80,}                  # Anthropic API Key
ghp_[a-zA-Z0-9]{36}                       # GitHub Personal Token
gho_[a-zA-Z0-9]{36}                       # GitHub OAuth Token
glpat-[a-zA-Z0-9-_]{20}                   # GitLab Personal Token
xoxb-[0-9]{10,}-[a-zA-Z0-9]{24}          # Slack Bot Token
SG\.[a-zA-Z0-9-_]{22}\.[a-zA-Z0-9-_]{43} # SendGrid API Key

# Private Keys
-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----
-----BEGIN PGP PRIVATE KEY BLOCK-----

# Database URLs
(postgres|mysql|mongodb)://[^\s'"]+:[^\s'"]+@

# Generic Secrets
(password|secret|token|api_key|apikey)\s*[:=]\s*['"][^\s'"]{8,}['"]

Files to Skip

Do not scan:

node_modules/, vendor/, .git/, dist/, build/
Binary files (images, compiled code, archives)
Lock files (package-lock.json, yarn.lock, pnpm-lock.yaml)
Test fixtures clearly marked as examples (example, test, mock, in path)

Output Format

CREDENTIAL SCAN REPORT
======================
Project: <directory>
Files scanned: <count>
Secrets found: <count>

[CRITICAL] .env:3
  Type: API Key (OpenAI)
  Value: sk-proj-...████████████
  Action: Move to secret manager, add .env to .gitignore

[CRITICAL] src/config.ts:15
  Type: Database URL with credentials
  Value: postgres://admin:████████@db.example.com/prod
  Action: Use environment variable instead

[WARNING] docker-compose.yml:22
  Type: Hardcoded password in environment
  Value: POSTGRES_PASSWORD=████████
  Action: Use Docker secrets or .env file

RECOMMENDATIONS:
1. Add .env to .gitignore (if not already)
2. Rotate any exposed keys immediately
3. Consider using a secret manager (e.g., 1Password CLI, Vault, Doppler)

Rules

Never display full secret values — always truncate with ████████
Check .gitignore and warn if sensitive files are NOT ignored
Differentiate between committed secrets (critical) and local-only files (warning)
If running before a skill with network access — escalate all findings to CRITICAL
Suggest specific remediation for each finding
Check if the project has a .env.example that accidentally contains real values

Weekly Installs

138

Repository

useai-pro/openc…security

GitHub Stars

First Seen

Feb 6, 2026

Security Audits

Gen Agent Trust HubWarn SocketPass SnykPass

Installed on

cursor127

gemini-cli127

codex127

opencode127

github-copilot126

amp126