Claude Code Plugins

Community-maintained marketplace

Feedback

check-secrets

@nozomi-koborinai/koborin-ai
6
0

Scan the codebase for potential secret leaks including API keys, tokens, passwords, hardcoded project IDs, and sensitive identifiers. Use when the user says "check for secrets", "scan for leaks", "security check", or before committing sensitive changes.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name check-secrets
description Scan the codebase for potential secret leaks including API keys, tokens, passwords, hardcoded project IDs, and sensitive identifiers. Use when the user says "check for secrets", "scan for leaks", "security check", or before committing sensitive changes.

check-secrets

Scan the codebase for potential secret leaks before commits.

Trigger Examples

  • "Check for secrets"
  • "Scan for leaks"
  • "Security check"
  • "Are there any hardcoded secrets?"

Execution Flow

1. Define Detection Patterns

High-risk patterns:

  • API keys: ['\"]?[A-Z0-9_]{20,}['\"]?
  • Bearer tokens: Bearer\s+[A-Za-z0-9\-._~+/]+=*
  • Private keys: -----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----
  • OAuth secrets: client_secret['\"]?\s*[:=]\s*['\"]?[A-Za-z0-9\-_]{20,}
  • GCP service account keys: "type":\s*"service_account"
  • AWS credentials: AKIA[0-9A-Z]{16}

Project-specific patterns:

  • Hardcoded project IDs: koborin-ai (outside of variable assignments or docs)
  • Email addresses: @koborin\.ai

Safe patterns (excluded):

  • Environment variable references: process.env., $\{, TF_VAR_
  • Placeholder values: <PROJECT_ID>, YOUR_API_KEY, dummy, example
  • Test fixtures: files under __tests__/, *.test.ts, *.spec.ts

2. Scan the Codebase

Use git ls-files to get tracked files:

git ls-files | grep -v -E '\.(png|jpg|jpeg|gif|svg|woff|woff2|ttf|eot|ico|pdf)$' | \
  grep -v -E '^(node_modules|\.next|dist|build|coverage)/'

3. Filter False Positives

Remove known safe occurrences:

  • Lines containing process.env. or TF_VAR_
  • Template files (.env.example, .env.template)
  • Lines with placeholder patterns (<...>, YOUR_..., REPLACE_ME)

4. Categorize Findings

Critical (immediate action required):

  • Private keys, service account JSON
  • Hardcoded passwords or tokens
  • Real API keys with valid format

Warning (review recommended):

  • Suspicious long strings that might be keys
  • Hardcoded project IDs outside infrastructure code

Info (low risk):

  • Company name in unexpected places
  • Domain references in application code

5. Display Results

CRITICAL: Potential private key detected
  File: infra/shared/main.tf
  Line: 42
  Match: -----BEGIN PRIVATE KEY-----

WARNING: Hardcoded project ID
  File: app/src/lib/api-client.ts
  Line: 15
  Match: const PROJECT = "koborin-ai"

Summary:
- Critical: 1 finding(s)
- Warning: 1 finding(s)

Review these findings before committing.

Project-Specific Rules

For koborin-ai:

  • Allow koborin-ai in infra/ and README.md
  • Flag it in app/src/ unless from environment variable
  • Allow email addresses in documentation
  • Flag GCP project IDs when hardcoded outside Pulumi config

Notes

  • This is static analysis only; cannot detect runtime-loaded secrets
  • Always review findings manually
  • Run before every commit
  • Never commit real secrets even if undetected