Scan codebases and configs for exposed API keys, tokens, passwords, and other sensitive credentials.
Category
Vulnerability scanning, credential protection, and incident response.
Difficulty & Skill
Overview
Leaked credentials are the number one cause of data breaches. API keys committed to Git, .env files missing from .gitignore, hardcoded database passwords in config files — these mistakes happen to every developer and can result in thousands of dollars in unauthorized charges or complete account compromise.
OpenClaw's credential scanning use case detects exposed secrets across your entire workspace before they cause damage. Using the Credential Scanner skill, the agent checks for API keys from all major providers (AWS, OpenAI, Anthropic, GitHub, Slack, SendGrid), private keys, database connection strings, and generic password patterns.
The scan runs entirely offline — your secrets never leave your machine. It takes seconds to check an entire project and can save you from the nightmare of rotating every credential after a leak.
How It Works
- Install the Credential Scanner skill from the UseClawPro verified catalog
- Run the scanner against your project directory or specific files
- The agent scans all text files using pattern matching for 20+ credential types
- It automatically skips irrelevant directories (node_modules, .git, dist, vendor)
- Each finding is reported with the file path, line number, credential type, and severity
- You review findings and take action — add to .gitignore, move to environment variables, or rotate compromised credentials
Example Scenarios
- Before pushing to a public GitHub repo, you scan for secrets and catch an AWS access key accidentally left in a config file
- A new team member joins and their local .env file isn't in .gitignore — the scanner flags it before the first commit
- During a security audit, you discover a database connection string with credentials hardcoded in a migration script from two years ago
- You're onboarding a contractor to your OpenClaw workspace and want to ensure no sensitive credentials are exposed in the project files they'll access
- A CI pipeline config contains a hardcoded Slack webhook URL — the scanner catches it and you move it to a secret manager
Frequently Asked Questions
Does the scanner upload my secrets anywhere?
Absolutely not. The Credential Scanner skill has no network permissions. It runs entirely offline, reading only local files and reporting findings to you. Your secrets never leave your machine.
What credential types does it detect?
AWS access keys, OpenAI/Anthropic API keys, GitHub/GitLab tokens, Slack bot tokens, SendGrid keys, private SSH and PGP keys, database connection strings (PostgreSQL, MySQL, MongoDB), and generic password/secret patterns.
How is this different from git-secrets or TruffleHog?
Credential Scanner is designed specifically for the OpenClaw ecosystem. It checks your workspace before you run any skill with network access, preventing credential exfiltration. It complements tools like git-secrets which focus on preventing commits.
Can I add custom patterns for my organization?
Yes. You can configure custom regex patterns for internal credential formats, proprietary API keys, or organization-specific secret patterns that the default ruleset doesn't cover.