From sundial-org-awesome-openclaw-skills-4
Detects 500+ hardcoded secrets (API keys, tokens, credentials) in git repos, files, staged changes, and Docker images using GitGuardian ggshield CLI. Installs pre-commit hooks.
npx claudepluginhub joshuarweaver/cascade-ai-ml-agents-misc-2 --plugin sundial-org-awesome-openclaw-skills-4This skill uses the workspace's default tool permissions.
**ggshield** is a CLI tool that detects hardcoded secrets in your codebase. This Moltbot skill brings secret scanning capabilities to your AI agent.
Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Generates original PNG/PDF visual art via design philosophy manifestos for posters, graphics, and static designs on user request.
ggshield is a CLI tool that detects hardcoded secrets in your codebase. This Moltbot skill brings secret scanning capabilities to your AI agent.
Secrets are sensitive credentials that should NEVER be committed to version control:
A single leaked secret can:
ggshield catches these before they reach your repository.
scan-repoScans an entire git repository for secrets (including history).
@clawd scan-repo /path/to/my/project
Output:
๐ Scanning repository...
โ
Repository clean: 1,234 files scanned, 0 secrets found
Output on detection:
โ Found 2 secrets:
- AWS Access Key ID in config/prod.py:42
- Slack API token in .env.backup:8
Use 'ggshield secret ignore --last-found' to ignore, or remove them.
scan-fileScans a single file for secrets.
@clawd scan-file /path/to/config.py
scan-stagedScans only staged git changes (useful pre-commit check).
@clawd scan-staged
This runs on your git add-ed changes only (fast!).
install-hooksInstalls ggshield as a git pre-commit hook.
@clawd install-hooks
After this, every commit is automatically scanned:
$ git commit -m "Add config"
๐ Running ggshield pre-commit hook...
โ Secrets detected! Commit blocked.
Remove the secrets and try again.
scan-dockerScans Docker images for secrets in their layers.
@clawd scan-docker my-app:latest
ggshield CLI: Install via pip
pip install ggshield>=1.15.0
GitGuardian API Key: Required for secret detection
export GITGUARDIAN_API_KEY="your-api-key-here"
clawdhub install ggshield-scanner
The skill is now available in your Moltbot workspace.
Start a new Moltbot session to pick up the skill:
moltbot start
# or via messaging: @clawd list-skills
Dev: @clawd scan-repo .
Moltbot: โ
Repository clean. All good to push!
Dev: git push
Dev: @clawd scan-repo ~/my-old-project
Moltbot: โ Found 5 secrets in history!
- AWS keys in config/secrets.json
- Database password in docker-compose.yml
- Slack webhook in .env.example
Moltbot: Recommendation: Rotate these credentials immediately.
Consider using git-filter-repo to remove from history.
Dev: @clawd install-hooks
Moltbot: โ
Installed pre-commit hook
Dev: echo "SECRET_TOKEN=xyz" > config.py
Dev: git add config.py
Dev: git commit -m "Add config"
Moltbot: โ Pre-commit hook detected secret!
Dev: rm config.py && git reset
Dev: (add config to .gitignore and to environment variables instead)
Dev: git commit -m "Add config" # Now works!
Dev: @clawd scan-docker my-api:v1.2.3
Moltbot: โ
Docker image clean
These are required for the skill to work:
| Variable | Value | Where to Set |
|---|---|---|
GITGUARDIAN_API_KEY | Your API key from https://dashboard.gitguardian.com | ~/.bashrc or ~/.zshrc |
GITGUARDIAN_ENDPOINT | https://api.gitguardian.com (default, optional) | Usually not needed |
Create ~/.gitguardian/.gitguardian.yml for persistent settings:
verbose: false
output-format: json
exit-code: true
For details: https://docs.gitguardian.com/ggshield-docs/
โ ONLY metadata is sent:
โ NEVER sent:
Reference: GitGuardian Enterprise customers can use on-premise scanning with no data sent anywhere.
ggshield uses:
ggshield is not installed or not in your PATH.
Fix:
pip install ggshield
which ggshield # Should return a path
The environment variable is not set.
Fix:
export GITGUARDIAN_API_KEY="your-key"
# For persistence, add to ~/.bashrc or ~/.zshrc:
echo 'export GITGUARDIAN_API_KEY="your-key"' >> ~/.bashrc
source ~/.bashrc
API key is invalid or expired.
Fix:
# Test the API key
ggshield auth status
# If invalid, regenerate at https://dashboard.gitguardian.com โ API Tokens
# Then: export GITGUARDIAN_API_KEY="new-key"
Scanning a 50GB monorepo takes time. ggshield is doing a lot of work.
Workaround:
# Scan only staged changes (faster):
@clawd scan-staged
# Or specify a subdirectory:
@clawd scan-file ./app/config.py
Sometimes ggshield flags a string that's NOT a secret (e.g., a test key):
# Ignore the last secret found
ggshield secret ignore --last-found
# Ignore all in a file
ggshield secret ignore --path ./config-example.py
This creates .gitguardian/config.json with ignore rules.
You can add secret scanning to GitHub Actions / GitLab CI:
# .github/workflows/secret-scan.yml
name: Secret Scan
on: [push]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- run: pip install ggshield
- run: ggshield secret scan repo .
env:
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
If your company uses GitGuardian Enterprise, you can scan without sending data to the cloud:
export GITGUARDIAN_ENDPOINT="https://your-instance.gitguardian.com"
export GITGUARDIAN_API_KEY="your-enterprise-key"
MIT License - See LICENSE file
Version: 1.0.0 Last updated: January 2026 Maintainer: GitGuardian