// Detect exposed secrets, API keys, credentials, and tokens in code. Use before commits, on file saves, or when security is mentioned. Prevents accidental secret exposure. Triggers on file changes, git commits, security checks, .env file modifications.
Automatic code quality and best practices analysis. Use proactively when files are modified, saved, or committed. Analyzes code style, patterns, potential bugs, and security basics. Triggers on file changes, git diff, code edits, quality mentions.
Generate conventional commit messages automatically. Use when user runs git commit, stages changes, or asks for commit message help. Analyzes git diff to create clear, descriptive conventional commit messages. Triggers on git commit, staged changes, commit message requests.
Automatically suggest tests for new functions and components. Use when new code is written, functions added, or user mentions testing. Creates test scaffolding with Jest, Vitest, Pytest patterns. Triggers on new functions, components, test requests, testing mentions.
Auto-generate API documentation from code and comments. Use when API endpoints change, or user mentions API docs. Creates OpenAPI/Swagger specs from code. Triggers on API file changes, documentation requests, endpoint additions.
Keep README files current with project changes. Use when project structure changes, features added, or setup instructions modified. Suggests README updates based on code changes. Triggers on significant project changes, new features, dependency changes.
Check dependencies for known vulnerabilities using npm audit, pip-audit, etc. Use when package.json or requirements.txt changes, or before deployments. Alerts on vulnerable dependencies. Triggers on dependency file changes, deployment prep, security mentions.
| name | secret-scanner |
| description | Detect exposed secrets, API keys, credentials, and tokens in code. Use before commits, on file saves, or when security is mentioned. Prevents accidental secret exposure. Triggers on file changes, git commits, security checks, .env file modifications. |
| allowed-tools | Read, Grep |
Prevent accidental secret exposure in your codebase.
// You type:
const apiKey = 'sk_live_1234567890abcdef';
// I immediately alert:
🚨 CRITICAL: Exposed Stripe API key detected!
📍 File: config.js, Line 3
🔧 Fix: Use environment variables
const apiKey = process.env.STRIPE_API_KEY;
📖 Add to .gitignore: .env
# You type:
aws_access_key = "AKIAIOSFODNN7EXAMPLE"
# I alert:
🚨 CRITICAL: AWS access key exposed!
📍 File: aws_config.py, Line 1
🔧 Fix: Use AWS credentials file or environment variables
aws_access_key = os.getenv("AWS_ACCESS_KEY_ID")
📖 Never commit AWS credentials
# You type in docker-compose.yml:
environment:
DB_PASSWORD: "mySecretPassword123"
# I alert:
🚨 CRITICAL: Database password in configuration file!
📍 File: docker-compose.yml, Line 5
🔧 Fix: Use .env file
DB_PASSWORD: ${DB_PASSWORD}
📖 Add .env to .gitignore
High Confidence:
Medium Confidence:
Low Confidence (Flagged for Review):
# Before commit, I scan:
git add .
git commit
# I block if secrets found:
🚨 CRITICAL: Cannot commit - secrets detected!
📍 3 secrets found:
- config.js:12 - API key
- .env:5 - Database password (in gitignore - OK)
- auth.js:45 - JWT secret
❌ Commit blocked - remove secrets first
I check if sensitive files are in .gitignore:
✅ .env - In .gitignore (good)
⚠️ config/secrets.json - NOT in .gitignore (add it!)
✅ .aws/credentials - In .gitignore (good)
// I understand these are examples:
// Example: const apiKey = 'your_api_key_here';
// TODO: Add your API key from environment
// Test fixtures are OK (but flagged for review):
const mockApiKey = 'sk_test_1234567890abcdef'; // ✅ Test key
<!-- Documentation examples are flagged but low priority -->
Set your API key: `export API_KEY=your_key_here`
secret-scanner (me): Exposed secrets and credentials security-auditor: Code vulnerability patterns
secret-scanner: Finds hardcoded API key
security-auditor: Finds how the key is used insecurely
Combined: Complete security picture
// Before:
const apiKey = 'sk_live_abc123';
// After:
const apiKey = process.env.API_KEY;
// .env file (add to .gitignore):
API_KEY=sk_live_abc123
// AWS Secrets Manager
const AWS = require('aws-sdk');
const secrets = new AWS.SecretsManager();
const secret = await secrets.getSecretValue({ SecretId: 'myApiKey' }).promise();
# docker-compose.yml
services:
app:
environment:
- API_KEY=${API_KEY} # From .env file
# .env (gitignored)
API_KEY=sk_live_abc123
Works without sandboxing: ✅ Yes (recommended) Works with sandboxing: ✅ Yes
Add company-specific secret patterns:
cp -r ~/.claude/skills/security/secret-scanner \
~/.claude/skills/security/company-secret-scanner
# Edit SKILL.md to add:
# - Internal API key formats
# - Company-specific secret patterns
# - Custom detection rules
git filter-branch --force --index-filter \
"git rm --cached --ignore-unmatch config/secrets.json" \
--prune-empty --tag-name-filter cat -- --all