AI Agent Skill HUB

pre-push-security-scan

【铁律】Git push 前必须执行的安全扫描。防止 API keys、tokens、passwords、私钥等敏感信息被推送到远程仓库。适用于所有 git push、gh pr create、代码同步等场景。

33 stars
byaAAaqwq
View on GitHubInstallation ↓

Best use case

pre-push-security-scan is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

【铁律】Git push 前必须执行的安全扫描。防止 API keys、tokens、passwords、私钥等敏感信息被推送到远程仓库。适用于所有 git push、gh pr create、代码同步等场景。

Teams using pre-push-security-scan should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/pre-push-security-scan/SKILL.md --create-dirs "https://raw.githubusercontent.com/aAAaqwq/AGI-Super-Team/main/skills/pre-push-security-scan/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/pre-push-security-scan/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How pre-push-security-scan Compares

Feature / Agentpre-push-security-scanStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

【铁律】Git push 前必须执行的安全扫描。防止 API keys、tokens、passwords、私钥等敏感信息被推送到远程仓库。适用于所有 git push、gh pr create、代码同步等场景。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 🔒 Pre-Push Security Scan(铁律)

> **2026-03-04 教训**:AGI-Super-Skills 仓库推送时未扫描,导致飞书 App Secret、Gateway Token、Telegram Bot Token、SSH 密码等 12 个真实密钥泄露到公开 Git 历史。事后用 git-filter-repo 清理 + 全部轮换,代价极大。
>
> **此后,任何 git push 操作前,必须执行本 Skill 的扫描流程。无例外。**

## 触发条件

以下操作 **必须** 先执行安全扫描:
- `git push`(任何分支)
- `git push --force`
- `gh pr create`
- 任何代码同步到远程仓库的操作
- cron 自动同步任务

## 扫描流程(三层检查)

### Layer 1: 扫描当前暂存区 / 待推送的 diff

```bash
# 获取待推送的 commits(与远程对比)
git log --oneline @{u}..HEAD 2>/dev/null || git log --oneline -5

# 扫描 diff 中的敏感模式
git diff @{u}..HEAD 2>/dev/null | grep -inE \
  '(api[_-]?key|secret|token|password|passwd|credential|private[_-]?key|auth)' \
  | grep -v 'REDACTED\|YOUR_.*_HERE\|placeholder\|example\|TODO\|xxx' \
  | head -30
```

### Layer 2: 扫描当前工作目录全部文件

```bash
# 高危模式匹配(排除 .git 目录和已知安全占位符)
grep -rnI --include='*.json' --include='*.md' --include='*.yaml' --include='*.yml' \
  --include='*.sh' --include='*.py' --include='*.js' --include='*.ts' --include='*.env' \
  --include='*.toml' --include='*.conf' --include='*.cfg' \
  -E '(sk-[a-zA-Z0-9]{20,}|ghp_[a-zA-Z0-9]{36}|xoxb-|xoxp-|AIza[a-zA-Z0-9_-]{35}|AKIA[A-Z0-9]{16})' \
  . --exclude-dir=.git --exclude-dir=node_modules --exclude-dir=venv \
  | grep -v 'REDACTED\|YOUR_.*_HERE\|placeholder\|example\|sk-xxx' \
  | head -30

# pass 路径中的密钥值(从 pass store 提取已知密钥进行比对)
# 仅在有 pass 的环境下执行
if command -v pass &>/dev/null; then
  for key_path in api/your-provider api/your-provider api/firecrawl api/deepseek api/your-provider; do
    key_val=$(pass show "$key_path" 2>/dev/null | head -1)
    if [ -n "$key_val" ] && [ ${#key_val} -gt 8 ]; then
      found=$(grep -rnl "$key_val" . --exclude-dir=.git 2>/dev/null)
      if [ -n "$found" ]; then
        echo "🚨 LEAKED: $key_path found in: $found"
      fi
    fi
  done
fi
```

### Layer 3: 扫描 Git 历史中新增的敏感内容

```bash
# 扫描最近 N 个 commits 的完整 patch
git log -p -10 2>/dev/null | grep -inE \
  '^\+.*(api[_-]?key|secret|token|password|private[_-]?key)\s*[:=]' \
  | grep -v 'REDACTED\|YOUR_.*_HERE\|placeholder\|example' \
  | head -20
```

## 判定标准

| 结果 | 动作 |
|------|------|
| Layer 1-3 全部 0 匹配 | ✅ 安全,可以 push |
| 任何一层有匹配 | ❌ **停止 push**,逐条检查 |
| 匹配项为占位符/示例 | ✅ 确认后可以 push |
| 匹配项为真实密钥 | 🚨 **立即移除**,替换为 `pass show` 或占位符 |

## 发现泄露后的修复流程

```bash
# 1. 安装 git-filter-repo
pip install --user --break-system-packages git-filter-repo

# 2. 创建替换文件(每行格式: 真实密钥==>REDACTED_描述)
cat > /tmp/replacements.txt << 'EOF'
actual_secret_value==>REDACTED_SERVICE_NAME
EOF

# 3. 在仓库 clone 中执行替换
git filter-repo --replace-text /tmp/replacements.txt --force

# 4. Force push
git remote add origin <repo-url>
git push --force --all

# 5. 轮换所有已泄露的密钥(最重要!清理历史只防未来,已泄露的必须换)
```

## 已知敏感模式清单(持续更新)

```
# API Keys
sk-[a-zA-Z0-9]{20,}          # OpenAI/兼容格式
ghp_[a-zA-Z0-9]{36}          # GitHub PAT
ghu_[a-zA-Z0-9]{36}          # GitHub User Token
xoxb-                         # Slack Bot Token
xoxp-                         # Slack User Token
AIza[a-zA-Z0-9_-]{35}        # Google API Key
AKIA[A-Z0-9]{16}             # AWS Access Key

# 飞书
cli_[a-f0-9]{16}             # 飞书 App ID(单独不危险,但不应硬编码)
[a-zA-Z0-9]{32}              # 飞书 App Secret(需结合上下文判断)

# Telegram
[0-9]{8,10}:AA[a-zA-Z0-9_-]{33,35}  # Telegram Bot Token

# Gateway
[a-f0-9]{48}                  # OpenClaw Gateway Token(需结合上下文判断)

# 通用
password\s*[:=]\s*\S+
private_key\s*[:=]
-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----
```

## 自动化集成

### Git Hook(推荐)

在仓库 `.git/hooks/pre-push` 中添加自动扫描:

```bash
#!/bin/bash
# Pre-push hook: security scan
echo "🔒 Running pre-push security scan..."

ISSUES=$(git diff @{u}..HEAD 2>/dev/null | grep -icE \
  '(api[_-]?key|secret|token|password|private[_-]?key)\s*[:=]\s*["\x27]?[a-zA-Z0-9_-]{16,}' \
  2>/dev/null || echo 0)

if [ "$ISSUES" -gt 0 ]; then
  echo "🚨 Found $ISSUES potential secret(s) in push. Aborting."
  echo "Run security scan skill for details."
  exit 1
fi

echo "✅ No secrets detected. Proceeding with push."
```

### Cron 同步任务

所有自动同步 cron 任务(如 AGI-Super-Skills 同步)**必须**在 push 前集成 Layer 1 + Layer 2 扫描。

## 历史教训

| 日期 | 事件 | 影响 | 修复成本 |
|------|------|------|----------|
| 2026-02-05 | 公开仓库硬编码 API key | 密钥泄露 | 轮换密钥 |
| 2026-03-04 | AGI-Super-Skills 推送 12 个真实密钥 | 飞书/TG/Gateway/SSH 全部泄露 | git-filter-repo + 全部轮换 |

**两次教训,不允许有第三次。**

Related Skills

telegram-push

33
from aAAaqwq/AGI-Super-Team

通过独立 Telegram Bot 向群聊或私聊推送消息,适合不依赖 OpenClaw channel 配置的通知场景。

skill-security-auditor

33
from aAAaqwq/AGI-Super-Team

Scan and audit AI agent skills for security risks before installation. Produces a

security-compliance-compliance-check

33
from aAAaqwq/AGI-Super-Team

You are a compliance expert specializing in regulatory requirements for software systems including GDPR, HIPAA, SOC2, PCI-DSS, and other industry standards. Perform compliance audits and provide im...

security-audit

33
from aAAaqwq/AGI-Super-Team

Comprehensive security auditing for Clawdbot deployments. Scans for exposed credentials, open ports, weak configs, and vulnerabilities. Auto-fix mode included.

performing-security-code-review

33
from aAAaqwq/AGI-Super-Team

This skill provides automated assistance for security agent tasks Execute this skill enables AI assistant to conduct a security-focused code review using the security-agent plugin. it analyzes code for potential vulnerabilities like sql injection, xss, authentication flaws, and insecure dependencies. AI assistant uses this skill wh... Use when assessing security or running audits. Trigger with phrases like 'security scan', 'audit', or 'vulnerability'.

scanning-market-movers

33
from aAAaqwq/AGI-Super-Team

Real-time detection and analysis of significant price movements and unusual volume patterns across cryptocurrency markets. This skill identifies top g Detect significant price movements and unusual volume across crypto markets. Calculates significance scores combining price change, volume ratio, and market cap. Use when tracking market movers, finding gainers/losers, or detecting volume spikes. Trigger with phrases like "scan market movers", "top gainers", "biggest losers", "volume spikes", "what's moving", "find pumps", or "market scan".

ghost-scan-code

33
from aAAaqwq/AGI-Super-Team

Ghost Security - SAST code scanner. Finds security vulnerabilities in source code by planning and executing targeted scans for issues like SQL injection, XSS, BOLA, BFLA, SSRF, and other OWASP categories. Supports applications (backend, frontend, mobile) and libraries (prototype pollution, unsafe deserialization, ReDoS, path traversal, zip slip). Use when the user asks for a code security audit, SAST scan, vulnerability scan of source code, or wants to find security flaws in a codebase or library.

wemp-operator

33
from aAAaqwq/AGI-Super-Team

> 微信公众号全功能运营——草稿/发布/评论/用户/素材/群发/统计/菜单/二维码 API 封装

Content & Documentation

zsxq-smart-publish

33
from aAAaqwq/AGI-Super-Team

Publish and manage content on 知识星球 (zsxq.com). Supports talk posts, Q&A, long articles, file sharing, digest/bookmark, homework tasks, and tag management. Use when publishing content to 知识星球, creating/editing posts, uploading files/images/audio, managing digests, batch publishing, or formatting content for 知识星球.

zoom-automation

33
from aAAaqwq/AGI-Super-Team

Automate Zoom meeting creation, management, recordings, webinars, and participant tracking via Rube MCP (Composio). Always search tools first for current schemas.

zoho-crm-automation

33
from aAAaqwq/AGI-Super-Team

Automate Zoho CRM tasks via Rube MCP (Composio): create/update records, search contacts, manage leads, and convert leads. Always search tools first for current schemas.

ziliu-publisher

33
from aAAaqwq/AGI-Super-Team

字流(Ziliu) - AI驱动的多平台内容分发工具。用于一次创作、智能适配排版、一键分发到16+平台(公众号/知乎/小红书/B站/抖音/微博/X等)。当用户需要多平台发布、内容排版、格式适配时使用。触发词:字流、ziliu、多平台发布、一键分发、内容分发、排版发布。