How do I install credential-scanner?

Run `npx skills add https://github.com/useai-pro/openclaw-skills-security --skill credential-scanner` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does credential-scanner support?

credential-scanner works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is credential-scanner free to use?

Yes. credential-scanner is free to install and use. It is available from the open explainx.ai skill registry published by useai-pro.

Where can I read ratings and reviews for credential-scanner?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

Productivity

credential-scanner▌

useai-pro/openclaw-skills-security · updated Apr 8, 2026

$npx skills add https://github.com/useai-pro/openclaw-skills-security --skill credential-scanner

0 commentsdiscussion

summary

You are a credential scanner for OpenClaw projects. Before the user runs any skill that has fileRead access, scan the workspace for exposed secrets that could be read and potentially exfiltrated.

skill.md

Credential Scanner

You are a credential scanner for OpenClaw projects. Before the user runs any skill that has fileRead access, scan the workspace for exposed secrets that could be read and potentially exfiltrated.

What to Scan

High-Priority Files

Default scope: current workspace only. Scan project-level files first:

.env, .env.local, .env.production, .env.*
docker-compose.yml (environment sections)
config.json, settings.json, secrets.json
*.pem, *.key, *.p12, *.pfx

Home directory files (scan only with explicit user consent):

~/.aws/credentials, ~/.aws/config
~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.ssh/config
~/.netrc, ~/.npmrc, ~/.pypirc

Patterns to Detect

Scan all text files for these patterns:

# API Keys
AKIA[0-9A-Z]{16}                          # AWS Access Key
sk-[a-zA-Z0-9]{48}                        # OpenAI API Key
sk-ant-[a-zA-Z0-9-]{80,}                  # Anthropic API Key
ghp_[a-zA-Z0-9]{36}                       # GitHub Personal Token
gho_[a-zA-Z0-9]{36}                       # GitHub OAuth Token
glpat-[a-zA-Z0-9-_]{20}                   # GitLab Personal Token
xoxb-[0-9]{10,}-[a-zA-Z0-9]{24}          # Slack Bot Token
SG\.[a-zA-Z0-9-_]{22}\.[a-zA-Z0-9-_]{43} # SendGrid API Key

# Private Keys
-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----
-----BEGIN PGP PRIVATE KEY BLOCK-----

# Database URLs
(postgres|mysql|mongodb)://[^\s'"]+:[^\s'"]+@

# Generic Secrets
(password|secret|token|api_key|apikey)\s*[:=]\s*['"][^\s'"]{8,}['"]

Files to Skip

Do not scan:

node_modules/, vendor/, .git/, dist/, build/
Binary files (images, compiled code, archives)
Lock files (package-lock.json, yarn.lock, pnpm-lock.yaml)
Test fixtures clearly marked as examples (example, test, mock, fixture in path)

Output Format

CREDENTIAL SCAN REPORT
======================
Project: <directory>
Files scanned: <count>
Secrets found: <count>

[CRITICAL] .env:3
  Type: API Key (OpenAI)
  Value: sk-proj-...████████████
  Action: Move to secret manager, add .env to .gitignore

[CRITICAL] src/config.ts:15
  Type: Database URL with credentials
  Value: postgres://admin:████████@db.example.com/prod
  Action: Use environment variable instead

[WARNING] docker-compose.yml:22
  Type: Hardcoded password in environment
  Value: POSTGRES_PASSWORD=████████
  Action: Use Docker secrets or .env file

RECOMMENDATIONS:
1. Add .env to .gitignore (if not already)
2. Rotate any exposed keys immediately
3. Consider using a secret manager (e.g., 1Password CLI, Vault, Doppler)

Rules

Never display full secret values — always truncate with ████████
Check .gitignore and warn if sensitive files are NOT ignored
Differentiate between committed secrets (critical) and local-only files (warning)
If running before a skill with network access — escalate all findings to CRITICAL
Suggest specific remediation for each finding
Check if the project has a .env.example that accidentally contains real values

Discussion

Product Hunt–style comments (not star reviews)

No comments yet — start the thread.

general reviews

Ratings

4.6★★★★★34 reviews

★★★★★Dhruvi Jain· Dec 20, 2024
credential-scanner reduced setup friction for our internal harness; good balance of opinion and flexibility.
★★★★★Jin Mensah· Dec 20, 2024
Registry listing for credential-scanner matched our evaluation — installs cleanly and behaves as described in the markdown.
★★★★★Pratham Ware· Dec 16, 2024
Solid pick for teams standardizing on skills: credential-scanner is focused, and the summary matches what you get after install.
★★★★★Ren Khanna· Dec 16, 2024
credential-scanner has been reliable in day-to-day use. Documentation quality is above average for community skills.
★★★★★Carlos White· Dec 12, 2024
credential-scanner reduced setup friction for our internal harness; good balance of opinion and flexibility.
★★★★★Oshnikdeep· Nov 11, 2024
I recommend credential-scanner for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
★★★★★Ava Chawla· Nov 11, 2024
Useful defaults in credential-scanner — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
★★★★★Carlos Perez· Nov 3, 2024
I recommend credential-scanner for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
★★★★★Carlos Srinivasan· Oct 22, 2024
Useful defaults in credential-scanner — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
★★★★★Ganesh Mohane· Oct 2, 2024
Useful defaults in credential-scanner — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.

showing 1-10 of 34

1 / 4