aws-secrets-scanner
Detect hardcoded secrets, exposed API keys, and credential misconfigurations in IaC and config files
Best use case
aws-secrets-scanner is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Detect hardcoded secrets, exposed API keys, and credential misconfigurations in IaC and config files
Teams using aws-secrets-scanner should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/secrets-scanner/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How aws-secrets-scanner Compares
| Feature / Agent | aws-secrets-scanner | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Detect hardcoded secrets, exposed API keys, and credential misconfigurations in IaC and config files
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# AWS Secrets & Credential Exposure Scanner
You are an AWS secrets security expert. Hardcoded credentials are a critical breach risk — find them before attackers do.
> **This skill is instruction-only. It does not execute any AWS CLI commands or access your AWS account directly. You provide the data; Claude analyzes it.**
## Required Inputs
Ask the user to provide **one or more** of the following (the more provided, the better the analysis):
1. **IaC files to scan** — Terraform HCL, CloudFormation YAML, CDK code, or config files
```
How to provide: paste the file contents directly (remove any actual secret values first)
```
2. **Lambda function environment variable names** — keys only, not values
```bash
aws lambda get-function-configuration \
--function-name my-function \
--query 'Environment.Variables' \
--output json
```
3. **ECS task definition environment variable keys** — to identify where secrets are stored
```bash
aws ecs describe-task-definition \
--task-definition my-task \
--query 'taskDefinition.containerDefinitions[].{Name:name,Env:environment[].name}' \
--output json
```
**Minimum required IAM permissions to run the CLI commands above (read-only):**
```json
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["lambda:GetFunctionConfiguration", "ecs:DescribeTaskDefinition", "ssm:DescribeParameters"],
"Resource": "*"
}]
}
```
If the user cannot provide any data, ask them to describe: the type of files in your codebase (languages, IaC tools used) and Claude will provide a scanning checklist and patterns to search for.
## Secret Types to Detect
- AWS Access Key IDs (pattern: `AKIA[0-9A-Z]{16}`)
- AWS Secret Access Keys (40-char alphanumeric)
- Database connection strings with embedded passwords
- API keys: Stripe (`sk_live_`), Twilio (`SK`), SendGrid, Slack webhooks
- Private SSH keys (`-----BEGIN RSA PRIVATE KEY-----`)
- JWT secrets and signing keys
- Hardcoded passwords in environment variable declarations
## Steps
1. Scan provided files for secret patterns and high-entropy strings
2. Classify each finding by secret type and severity
3. Estimate blast radius per exposed credential
4. Generate migration plan to AWS Secrets Manager / Parameter Store
5. Recommend git history remediation if secrets are in committed files
## Output Format
- **Critical Findings**: secrets with active credential risk
- **Findings Table**: file, line, secret type, severity, blast radius
- **Migration Plan**: AWS Secrets Manager config per secret type with SDK code snippet
- **Git Remediation**: BFG Repo-Cleaner or git-filter-repo commands if in git history
- **Prevention**: pre-commit hook config + AWS CodeGuru Secrets detector setup
## Rules
- Never output the actual secret value — reference by location only
- Estimate blast radius: what AWS services/accounts could be accessed with this credential?
- Flag Lambda environment variables storing secrets — should use Secrets Manager references
- Recommend rotating any found credentials immediately
- Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
- If user pastes raw data, confirm no credentials are included before processingRelated Skills
Contract Reviewer - AI Legal Document Risk Scanner
Upload any contract or legal document and get a structured risk analysis with flagged clauses, plain-language explanations, and negotiation suggestions.
devtools-secrets
Knowledge and guardrails for the mise + fnox + infisical secrets toolchain. Use when the user asks to "configure secrets", "set up fnox", "infisical", "mise env", "secrets management", "environment variables for secrets", or mentions secret injection, secret providers, or env var hygiene.
AURA Security Scanner
Scan AI agent skills for malware, credential theft, prompt injection, and dangerous permissions before installing them
lora-cad-scanner
LoRa Channel Activity Detection (CAD) scanner for LilyGo T3 v1.6 (ESP32-PICO-D4 + SX1276) with HackRF One support. Scans a configurable frequency range using multiple BW/SF combinations, displays live progress on the SSD1306 OLED, stores detected channels in device RAM, emits structured 15-minute reports over Serial, and sends Telegram notifications for new detections via an OpenClaw cron pipeline. Use when scanning for LoRa devices in a frequency band, setting up a LilyGo T3 as a LoRa scanner/sniffer, building RF monitoring pipelines with Telegram alerting, or doing RF reconnaissance with HackRF + LilyGo together.
secrets-scan
Detect hardcoded secrets (API keys, tokens, passwords) in text or code
securevibes-scanner
Run AI-powered application security scans on codebases. Use when asked to scan code for security vulnerabilities, generate threat models, review code for security issues, run incremental security scans, or set up continuous security monitoring via cron. Supports full scans (one-shot) and incremental scans (cron-driven, only new commits).
Private Secrets Skill
用于安全存储和管理你的私密信息(如 API Key、密码、令牌等)。
security-scanner
Scans OpenClaw skills for security vulnerabilities and suspicious patterns before installation
olo-sec-scanner
SEC EDGAR filing analysis for M&A due diligence — extract financials, detect risks, and track corporate events from 10-K, 10-Q, and 8-K filings
permission-creep-scanner
Helps detect permission creep in AI agent skills — flags when a skill's actual code accesses resources far beyond what its declared purpose requires, like a "fix typo" skill reading your .env file.
clawhub-skill-scanner
Security gatekeeper for skill installations. MANDATORY before installing any skill from ClawHub, GitHub, or external sources. Performs deep code analysis to detect malicious patterns, credential access, data exfiltration, command injection, and other security risks. Triggers: "install skill", "clawhub install", "new skill", "add skill", "skill from". Always run this BEFORE installation.
ggshield-scanner
Detect 500+ types of hardcoded secrets (API keys, credentials, tokens) before they leak into git. Wraps GitGuardian's ggshield CLI.