OpenSkillIndex← back to search
claude-codesecurity

Claude-skill-registry check-secrets

Scan the codebase for potential secret leaks including API keys, tokens, passwords, hardcoded project IDs, and sensitive identifiers. Use when the user says "check for secrets", "scan for leaks", "security check", or before committing sensitive changes.

install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/check-secrets" ~/.claude/skills/majiayu000-claude-skill-registry-check-secrets && rm -rf "$T"
manifest: skills/data/check-secrets/SKILL.md
tags
#secret-detection#security-check#code-scanning#sensitive-data
source content

check-secrets

Scan the codebase for potential secret leaks before commits.

Trigger Examples

  • "Check for secrets"
  • "Scan for leaks"
  • "Security check"
  • "Are there any hardcoded secrets?"

Execution Flow

1. Define Detection Patterns

High-risk patterns:

  • API keys: 
    ['\"]?[A-Z0-9_]{20,}['\"]?
  • Bearer tokens: 
    Bearer\s+[A-Za-z0-9\-._~+/]+=*
  • Private keys: 
    -----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----
  • OAuth secrets: 
    client_secret['\"]?\s*[:=]\s*['\"]?[A-Za-z0-9\-_]{20,}
  • GCP service account keys: 
    "type":\s*"service_account"
  • AWS credentials: 
    AKIA[0-9A-Z]{16}

Project-specific patterns:

  • Hardcoded project IDs: 
    koborin-ai
    (outside of variable assignments or docs)
  • Email addresses: 
    @koborin\.ai

Safe patterns (excluded):

  • Environment variable references: 
    process.env.
    , 
    $\{
    , 
    TF_VAR_
  • Placeholder values: 
    <PROJECT_ID>
    , 
    YOUR_API_KEY
    , 
    dummy
    , 
    example
  • Test fixtures: files under 
    __tests__/
    , 
    *.test.ts
    , 
    *.spec.ts

2. Scan the Codebase

Use 

git ls-files
to get tracked files:

git ls-files | grep -v -E '\.(png|jpg|jpeg|gif|svg|woff|woff2|ttf|eot|ico|pdf)$' | \
  grep -v -E '^(node_modules|\.next|dist|build|coverage)/'

3. Filter False Positives

Remove known safe occurrences:

  • Lines containing 
    process.env.
    or 
    TF_VAR_
  • Template files (
    .env.example
    , 
    .env.template
    )
  • Lines with placeholder patterns (
    <...>
    , 
    YOUR_...
    , 
    REPLACE_ME
    )

4. Categorize Findings

Critical (immediate action required):

  • Private keys, service account JSON
  • Hardcoded passwords or tokens
  • Real API keys with valid format

Warning (review recommended):

  • Suspicious long strings that might be keys
  • Hardcoded project IDs outside infrastructure code

Info (low risk):

  • Company name in unexpected places
  • Domain references in application code

5. Display Results

CRITICAL: Potential private key detected
  File: infra/shared/main.tf
  Line: 42
  Match: -----BEGIN PRIVATE KEY-----

WARNING: Hardcoded project ID
  File: app/src/lib/api-client.ts
  Line: 15
  Match: const PROJECT = "koborin-ai"

Summary:
- Critical: 1 finding(s)
- Warning: 1 finding(s)

Review these findings before committing.

Project-Specific Rules

For 

koborin-ai
:

  • Allow 
    koborin-ai
    in 
    infra/
    and 
    README.md
  • Flag it in 
    app/src/
    unless from environment variable
  • Allow email addresses in documentation
  • Flag GCP project IDs when hardcoded outside Pulumi config

Notes

  • This is static analysis only; cannot detect runtime-loaded secrets
  • Always review findings manually
  • Run before every commit
  • Never commit real secrets even if undetected