MCPFlixFree Beta
deployment

Secrets Scanner

Find hardcoded API keys, tokens, and credentials anywhere in the repo — including git history if requested.

/secrets-scan

Install this skill

  1. 1. Copy the SKILL.md content (button above)
  2. 2. Create a folder for the skill:
    # Mac/Linux
mkdir -p ~/.claude/skills/secrets-scan

# Windows (PowerShell)
mkdir $env:USERPROFILE\.claude\skills\secrets-scan
  3. 3. Save the content as ~/.claude/skills/secrets-scan/SKILL.md
  4. 4. Restart Claude Code (or open a new session)
  5. 5. Type /secrets-scan to invoke it
securitysecretsgit

/secrets-scan

Find what shouldn't be in the codebase.

Usage

/secrets-scan # current working tree /secrets-scan --history # also scan git history (slow) /secrets-scan --staged # only what's about to be committed

Patterns detected

  • AWS: AKIA[0-9A-Z]{16}, aws_secret_access_key=...
  • GCP: service account JSON keys
  • Azure: connection strings, SAS tokens
  • GitHub: ghp_..., gho_..., ghu_...
  • OpenAI / Anthropic: sk-..., sk-ant-...
  • Stripe: sk_live_..., rk_live_...
  • Slack: xoxb-..., xoxp-...
  • JWT: standalone eyJ... strings
  • Generic: high-entropy strings inside quoted values
  • Private keys: -----BEGIN (RSA|EC|OPENSSH|PGP) PRIVATE KEY-----

What to do when found

  1. Report the file:line with the masked value (sk-...XYZ)
  2. Do NOT echo the full secret in any output
  3. Suggest:
    • Move to env var
    • If pushed to remote: rotate immediately + provide rotation links per provider
    • Add to .gitignore if it's a config file

Rules

  • Skip node_modules, .next, build artifacts
  • Suppress matches in test fixtures clearly named (*-mock.json, *.example)
  • If --history finds a secret in past commits, recommend BOTH git filter-repo AND credential rotation (filtering alone doesn't help if it was already pushed)
← Back to all skillsBuild a custom skill