KiloClawPowered by OpenClaw
Back to Cookbook
OpenClaw recipe

Git History Secret and API Key Scanner

aka “Secret Sweeper

Find the AWS keys hiding in your git history before someone else does

Scans your repos, config files, and environment for hardcoded secrets, API keys, passwords, and credentials. Checks git history too — that "removed" API key from 6 months ago is still in the commit log.

House RecipeWork2 min
Try in KiloClawFree 7-day trial

INGREDIENTS

🐙GitHub

PROMPT

Create a skill called "Secret Sweeper". Scan for leaked secrets and credentials: 1. Run gitleaks or trufflehog on the git repo (including full history) 2. Scan current files for patterns: API keys, passwords, tokens, private keys, connection strings 3. Check `.env` files, docker-compose files, and CI configs for hardcoded secrets 4. For each finding, indicate whether it looks potentially active based on context or metadata; only attempt active validation if I explicitly approve it 5. For each finding, provide: - File and line number (or commit hash for historical leaks) - Secret type and risk level - Whether it appears to still be active - Remediation: exact steps to rotate and move to a secret manager Also suggest pre-commit hooks and CI checks to prevent future leaks.

How It Works

Secrets leak in predictable ways: committed to git, left in `.env` files,

hardcoded in Docker configs, or buried in CI/CD variables. This skill

checks all the usual hiding spots.

What You Get

  • Git history scan for committed secrets (even if later removed)
  • Current codebase scan for hardcoded credentials
  • `.env` file audit across all environments
  • Docker and docker-compose file inspection
  • CI/CD config review (exposed secrets in logs, non-masked variables)
  • Remediation steps: rotate, revoke, and move to a secret manager

Setup Steps

  1. Point your Claw at a repository or directory
  2. Let it scan with tools like gitleaks, trufflehog, or detect-secrets
  3. Review the findings
  4. Follow the remediation steps for each leaked secret

Tips

  • Always rotate any secret that was ever committed, even if you removed it
  • Git history persists even after force-pushing — the secret is exposed until rotated
  • Set up a pre-commit hook to prevent future leaks
  • Check CI/CD logs too — secrets often leak in build output
  • Ask your Claw to help set up a proper secret manager (AWS Secrets Manager, Vault, etc.)
Tags:#security#secrets#git#devops

Related Recipes

Dockerfile Doctor

Faster builds, smaller images, fewer headaches

Paste your Dockerfile and get it back cleaner, smaller, and easier to cache. Good starter recipe for developers because the advice is concrete and the output is easy to compare against the original.

Work1 min

Dep Wrangler

Tame the Dependabot PR flood — auto-merge the safe ones, flag the risky ones

Reviews dependency update PRs by reading changelogs, checking for breaking changes, running tests, and auto-merging patch updates that pass CI. Turns 50 Dependabot PRs per week into 3 that need your attention.

Work3 min

Scam Shield & Identity Theft Response

A calm checklist when fraud hits

Immediate steps, reporting sequences, and long-term hardening for scams and identity theft. Organized by urgency so you know what to do first.

Personal2 min

Scam Sponsorship Screener

Verify brand offers before you click anything

Screens incoming partnership offers for phishing and scam patterns: suspicious domains, attachments, fake checks, requests to "connect your account," and vague contracts. Outputs a risk rating and safe verification steps.

Personal4 min