check-secrets

Original：🇺🇸 English

Translated

Scan the codebase for potential secret leaks including API keys, tokens, passwords, hardcoded project IDs, and sensitive identifiers. Use when the user says "check for secrets", "scan for leaks", "security check", or before committing sensitive changes.

1installs

Sourcenozomi-koborinai/koborin-ai

Added on2026-02-22

NPX Install

npx skill4agent add nozomi-koborinai/koborin-ai check-secrets

SKILL.md Content

View Translation Comparison →

check-secrets

Scan the codebase for potential secret leaks before commits.

Trigger Examples

"Check for secrets"
"Scan for leaks"
"Security check"
"Are there any hardcoded secrets?"

Execution Flow

1. Define Detection Patterns

High-risk patterns:

API keys:
```
['\"]?[A-Z0-9_]{20,}['\"]?
```
Bearer tokens:
```
Bearer\s+[A-Za-z0-9\-._~+/]+=*
```

Private keys:

-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----

OAuth secrets:

client_secret['\"]?\s*[:=]\s*['\"]?[A-Za-z0-9\-_]{20,}

GCP service account keys:
```
"type":\s*"service_account"
```
AWS credentials:
```
AKIA[0-9A-Z]{16}
```

Project-specific patterns:

Hardcoded project IDs:
```
koborin-ai
```
(outside of variable assignments or docs)
Email addresses:
```
@koborin\.ai
```

Safe patterns (excluded):

Environment variable references:
```
process.env.
```
,
```
$\{
```
,
```
TF_VAR_
```
Placeholder values:
```
<PROJECT_ID>
```
,
```
YOUR_API_KEY
```
,
```
dummy
```
,
```
example
```
Test fixtures: files under
```
__tests__/
```
,
```
*.test.ts
```
,
```
*.spec.ts
```

2. Scan the Codebase

Use

git ls-files

to get tracked files:

bash

git ls-files | grep -v -E '\.(png|jpg|jpeg|gif|svg|woff|woff2|ttf|eot|ico|pdf)$' | \
  grep -v -E '^(node_modules|\.next|dist|build|coverage)/'

3. Filter False Positives

Remove known safe occurrences:

Lines containing
```
process.env.
```
or
```
TF_VAR_
```
Template files (
```
.env.example
```
,
```
.env.template
```
)
Lines with placeholder patterns (
```
<...>
```
,
```
YOUR_...
```
,
```
REPLACE_ME
```
)

4. Categorize Findings

Critical (immediate action required):

Private keys, service account JSON
Hardcoded passwords or tokens
Real API keys with valid format

Warning (review recommended):

Suspicious long strings that might be keys
Hardcoded project IDs outside infrastructure code

Info (low risk):

Company name in unexpected places
Domain references in application code

5. Display Results

CRITICAL: Potential private key detected
  File: infra/shared/main.tf
  Line: 42
  Match: -----BEGIN PRIVATE KEY-----

WARNING: Hardcoded project ID
  File: app/src/lib/api-client.ts
  Line: 15
  Match: const PROJECT = "koborin-ai"

Summary:
- Critical: 1 finding(s)
- Warning: 1 finding(s)

Review these findings before committing.

Project-Specific Rules

For

koborin-ai

:

Allow
```
koborin-ai
```
in
```
infra/
```
and
```
README.md
```
Flag it in
```
app/src/
```
unless from environment variable
Allow email addresses in documentation
Flag GCP project IDs when hardcoded outside Pulumi config

Notes

This is static analysis only; cannot detect runtime-loaded secrets
Always review findings manually
Run before every commit
Never commit real secrets even if undetected

check-secrets

NPX Install

Tags

SKILL.md Content

check-secrets

Trigger Examples

Execution Flow

1. Define Detection Patterns

2. Scan the Codebase

3. Filter False Positives

4. Categorize Findings

5. Display Results

Project-Specific Rules

Notes