技能详情(站内镜像,无评论)
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.2
统计:⭐ 0 · 2.2k · 4 current installs · 4 all-time installs
⭐ 0
安装量(当前) 4
🛡 VirusTotal :可疑 · OpenClaw :可疑
Package:amascia-gg/ggshield-scanner
安全扫描(ClawHub)
- VirusTotal :可疑
- OpenClaw :可疑
OpenClaw 评估
The skill appears to implement a legitimate ggshield wrapper and only needs a GitGuardian API key, but there are metadata/source inconsistencies and minor privacy/handling claims that don't fully add up — review the origin and where you store the API key before installing.
目的
The skill's name, README, SKILL.md, pyproject.toml and code all consistently implement a wrapper around the ggshield CLI and therefore legitimately need the ggshield binary and GITGUARDIAN_API_KEY. However, the registry metadata at the top of the report claimed no required binaries/env vars while SKILL.md and ggshield_skill.py require ggshield and GITGUARDIAN_API_KEY — an incoherence in published metadata. The repository/homepage fields also d…
说明范围
SKILL.md and the code constrain actions to scanning repos/files/staged changes/docker images and installing hooks. The implementation invokes the ggshield CLI via subprocess and only pulls the API key from GITGUARDIAN_API_KEY. It does not instruct reading arbitrary system files or other credentials. That said, SKILL.md asserts that ONLY metadata (hashes, path, line no.) is sent — this is a claim about ggshield/ GitGuardian behavior rather than…
安装机制
This is an instruction-only skill (no installer in the registry). The SKILL.md instructs users to pip install ggshield (a normal, low-risk package install from PyPI). The package includes a pyproject.toml listing dependencies (ggshield, pygitguardian) but no automated download-from-unknown-URL behavior. Overall install risk is low, but verify you install ggshield/pygitguardian from the official PyPI and confirm the skill repo origin before run…
证书
The only secret required by the code and documentation is GITGUARDIAN_API_KEY, which is proportionate to the stated purpose. Two caveats: (1) registry metadata omitted this required env var (incoherent metadata), and (2) SKILL.md suggests persisting the API key in shell profiles or a .env file — storing long-lived API keys in shell startup files or plaintext .env can increase exposure risk. Consider using ephemeral credentials or restricting t…
持久
The skill does not request permanent platform-wide presence (always: false) and does not modify other skills or global agent settings. It runs as an ordinary skill wrapper and uses subprocess calls to ggshield; autonomous invocation is allowed (platform default) but is not combined with elevated privileges here.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「ggshield Secret Scanner」。简介:Detect 500+ types of hardcoded secrets (API keys, credentials, tokens) before t…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/amascia-gg/ggshield-scanner/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: ggshield-scanner
description: Detect 500+ types of hardcoded secrets (API keys, credentials, tokens) before they leak into git. Wraps GitGuardian's ggshield CLI.
homepage: https://github.com/GitGuardian/ggshield-skill
metadata:
clawdbot:
requires:
bins: ["ggshield"]
env: ["GITGUARDIAN_API_KEY"]
---
# ggshield Secret Scanner
## Overview
**ggshield** is a CLI tool that detects hardcoded secrets in your codebase. This Moltbot skill brings secret scanning capabilities to your AI agent.
### What Are "Secrets"?
Secrets are sensitive credentials that should NEVER be committed to version control:
- AWS Access Keys, GCP Service Accounts, Azure credentials
- API tokens (GitHub, Slack, Stripe, etc.)
- Database passwords and connection strings
- Private encryption keys and certificates
- OAuth tokens and refresh tokens
- PayPal/Stripe API keys
- Email server credentials
### Why This Matters
A single leaked secret can:
- 🔓 Compromise your infrastructure
- 💸 Incur massive cloud bills (attackers abuse your AWS account)
- 📊 Expose customer data (GDPR/CCPA violation)
- 🚨 Trigger security incidents and audits
ggshield catches these **before** they reach your repository.
## Features
### Commands Available
#### 1. `scan-repo`
Scans an entire git repository for secrets (including history).
```
@clawd scan-repo /path/to/my/project
```
**Output**:
```
🔍 Scanning repository...
✅ Repository clean: 1,234 files scanned, 0 secrets found
```
**Output on detection**:
```
❌ Found 2 secrets:
- AWS Access Key ID in config/prod.py:42
- Slack API token in .env.backup:8
Use 'ggshield secret ignore --last-found' to ignore, or remove them.
```
#### 2. `scan-file`
Scans a single file for secrets.
```
@clawd scan-file /path/to/config.py
```
#### 3. `scan-staged`
Scans only staged git changes (useful pre-commit check).
```
@clawd scan-staged
```
This runs on your `git add`-ed changes only (fast!).
#### 4. `install-hooks`
Installs ggshield as a git pre-commit hook.
```
@clawd install-hooks
```
After this, every commit is automatically scanned:
```
$ git commit -m "Add config"
🔍 Running ggshield pre-commit hook...
❌ Secrets detected! Commit blocked.
Remove the secrets and try again.
```
#### 5. `scan-docker`
Scans Docker images for secrets in their layers.
```
@clawd scan-docker my-app:latest
```
## Installation
### Prerequisites
1. **ggshield CLI**: Install via pip
```bash
pip install ggshield>=1.15.0
```
2. **GitGuardian API Key**: Required for secret detection
- Sign up: https://dashboard.gitguardian.com (free)
- Generate API key in Settings
- Set environment variable:
```bash
export GITGUARDIAN_API_KEY="your-api-key-here"
```
3. **Python 3.8+**: Required by ggshield
### Install Skill
```bash
clawdhub install ggshield-scanner
```
The skill is now available in your Moltbot workspace.
### In Your Moltbot Workspace
Start a new Moltbot session to pick up the skill:
```bash
moltbot start
# or via messaging: @clawd list-skills
```
## Usage Patterns
### Pattern 1: Before Pushing (Security Check)
```
Dev: @clawd scan-repo .
Moltbot: ✅ Repository clean. All good to push!
Dev: git push
```
### Pattern 2: Audit Existing Repo
```
Dev: @clawd scan-repo ~/my-old-project
Moltbot: ❌ Found 5 secrets in history!
- AWS keys in config/secrets.json
- Database password in docker-compose.yml
- Slack webhook in .env.example
Moltbot: Recommendation: Rotate these credentials immediately.
Consider using git-filter-repo to remove from history.
```
### Pattern 3: Pre-Commit Enforcement
```
Dev: @clawd install-hooks
Moltbot: ✅ Installed pre-commit hook
Dev: echo "SECRET_TOKEN=xyz" > config.py
Dev: git add config.py
Dev: git commit -m "Add config"
Moltbot: ❌ Pre-commit hook detected secret!
Dev: rm config.py && git reset
Dev: (add config to .gitignore and to environment variables instead)
Dev: git commit -m "Add config" # Now works!
```
### Pattern 4: Docker Image Security
```
Dev: @clawd scan-docker my-api:v1.2.3
Moltbot: ✅ Docker image clean
```
## Configuration
### Environment Variables
These are required for the skill to work:
| Variable | Value | Where to Set |
| :-- | :-- | :-- |
| `GITGUARDIAN_API_KEY` | Your API key from https://dashboard.gitguardian.com | `~/.bashrc` or `~/.zshrc` |
| `GITGUARDIAN_ENDPOINT` | `https://api.gitguardian.com` (default, optional) | Usually not needed |
### Optional ggshield Config
Create `~/.gitguardian/.gitguardian.yml` for persistent settings:
```yaml
verbose: false
output-format: json
exit-code: true
```
For details: https://docs.gitguardian.com/ggshield-docs/
## Privacy & Security
### What Data is Sent to GitGuardian?
✅ **ONLY metadata is sent**:
- Hash of the secret pattern (not the actual secret)
- File path (relative path only)
- Line number
❌ **NEVER sent**:
- Your actual secrets or credentials
- File contents
- Private keys
- Credentials
**Reference**: GitGuardian Enterprise customers can use on-premise scanning with no data sent anywhere.
### How Secrets Are Detected
ggshield uses:
1. **Entropy-based detection**: Identifies high-entropy strings (random tokens)
2. **Pattern matching**: Looks for known secret formats (AWS key prefixes, etc.)
3. **Public CVEs**: Cross-references disclosed secrets
4. **Machine learning**: Trained on leaked secrets database
## Troubleshooting
### "ggshield: command not found"
ggshield is not installed or not in your PATH.
**Fix**:
```bash
pip install ggshield
which ggshield # Should return a path
```
### "GITGUARDIAN_API_KEY not found"
The environment variable is not set.
**Fix**:
```bash
export GITGUARDIAN_API_KEY="your-key"
# For persistence, add to ~/.bashrc or ~/.zshrc:
echo 'export GITGUARDIAN_API_KEY="your-key"' >> ~/.bashrc
source ~/.bashrc
```
### "401 Unauthorized"
API key is invalid or expired.
**Fix**:
```bash
# Test the API key
ggshield auth status
# If invalid, regenerate at https://dashboard.gitguardian.com → API Tokens
# Then: export GITGUARDIAN_API_KEY="new-key"
```
### "Slow on large repositories"
Scanning a 50GB monorepo takes time. ggshield is doing a lot of work.
**Workaround**:
```bash
# Scan only staged changes (faster):
@clawd scan-staged
# Or specify a subdirectory:
@clawd scan-file ./app/config.py
```
## Advanced Topics
### Ignoring False Positives
Sometimes ggshield flags a string that's NOT a secret (e.g., a test key):
```bash
# Ignore the last secret found
ggshield secret ignore --last-found
# Ignore all in a file
ggshield secret ignore --path ./config-example.py
```
This creates `.gitguardian/config.json` with ignore rules.
### Integrating with CI/CD
You can add secret scanning to GitHub Actions / GitLab CI:
```yaml
# .github/workflows/secret-scan.yml
name: Secret Scan
on: [push]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- run: pip install ggshield
- run: ggshield secret scan repo .
env:
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
```
### Enterprise: On-Premise Scanning
If your company uses GitGuardian Enterprise, you can scan without sending data to the cloud:
```bash
export GITGUARDIAN_ENDPOINT="https://your-instance.gitguardian.com"
export GITGUARDIAN_API_KEY="your-enterprise-key"
```
## Related Resources
- **ggshield Documentation**: https://docs.gitguardian.com/ggshield-docs/
- **GitGuardian Dashboard**: https://dashboard.gitguardian.com (view all secrets found)
- **Moltbot Skills**: https://docs.molt.bot/tools/clawdhub
- **Secret Management Best Practices**: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
## Support
- **Bug reports**: https://github.com/GitGuardian/ggshield-skill/issues
- **Questions**: Open an issue or comment on ClawdHub
- **ggshield issues**: https://github.com/GitGuardian/ggshield/issues
## License
MIT License - See LICENSE file
## Contributors
- GitGuardian Team
- [Your contributions welcome!]
---
**Version**: 1.0.0
**Last updated**: January 2026
**Maintainer**: GitGuardian