一键导入
secret-scan
Catch hardcoded secrets, keys, and tokens before they get committed. Use before any commit and on any file with credentials.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Catch hardcoded secrets, keys, and tokens before they get committed. Use before any commit and on any file with credentials.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Review a diff against the goal spec assuming the code is BROKEN. The reviewer that lives in the maker's head always agrees with itself — this pulls review into a hostile, separate pass. Invoke after every code change before marking work done.
Verify that an endpoint checks ownership, not just authentication. Use on any handler that reads or mutates user data.
Find the exact commit that introduced a bug. Use when something worked before and broke, and you don't know which change did it.
Turn a set of commits or a diff into a clean, user-facing changelog entry. Use before a release or PR description.
Turn messy WIP into clean, atomic commits with messages that explain why. Use before opening a PR.
Keep the agent's context lean so accuracy doesn't collapse. Use on long sessions, big files, or when the agent starts hallucinating.
| name | secret-scan |
| description | Catch hardcoded secrets, keys, and tokens before they get committed. Use before any commit and on any file with credentials. |
| when_to_use | before commit, files with API keys, .env handling, config, connection strings |
Grep the diff for: api[_-]?key, secret, token, password, BEGIN PRIVATE KEY, AKIA[0-9A-Z]{16}, sk-, ghp_, bearer values, and long base64/hex blobs.
For each hit: is it a real secret or a placeholder? Real secrets:
.gitignore / a pre-commit secret scanner.
Output: file:line of every real secret + the rotation step. A deleted secret in git history is still leaked.