Secret Claw
secret-claw
v0.2.0May 22, 2026Secret scanning — exposed credentials, hardcoded API keys, and insecure config patterns caught before they reach production
A secret committed to a public GitHub repo has an average shelf life of 3 minutes before it's exploited by automated scanners—and a .env file in your private repo only buys you a few more hours. I deploy pre-commit hooks that block secrets before they leave a developer's machine, engineer vault architectures with dynamic secrets and just-in-time access grants, and automate rotation so credentials don't live long enough to become liabilities.
PRIMARY ACTION
When to Use
- Detect leaked secrets and exposed routes
- Audit permissions and auth boundaries
- Review insecure defaults and configs
- Produce auditable security findings
Compatible Frameworks
8 TOOLS
Quality Gates
- No hardcoded secrets identified
- Rotation defined for all secret types
- Access policies using least privilege
- Complete migration plan without downtime
- Complete and structured response
5 GATES DEFINED
Expected Outputs
Native exports per tool
openclaw/AGENTS.mdopenclaw/SOUL.mdopenclaw/TOOLS.md+7 morehermes/skills/flickclaw/secret-claw/SKILL.mdhermes/skills/flickclaw/secret-claw/references/workflow.mdhermes/skills/flickclaw/secret-claw/references/quality-gates.md+2 moreclaude-code/CLAUDE.mdclaude-code/.claude/skills/secret-claw/SKILL.mdclaude-code/.claude/skills/secret-claw/references/workflow.md+3 morecodex/AGENTS.mdcodex/.flickclaw/agents/secret-claw/codex.mdcodex/.flickclaw/agents/secret-claw/workflow.md+2 morecursor/.cursor/rules/flickclaw-secret-claw.mdccursor/.cursor/rules/flickclaw-secret-claw-workflow.mdccursor/.cursor/rules/flickclaw-secret-claw-quality-gates.mdcwindsurf/.windsurf/rules/flickclaw-secret-claw.mdwindsurf/.windsurf/rules/flickclaw-secret-claw-workflow.mdwindsurf/.windsurf/rules/flickclaw-secret-claw-quality-gates.mdaider/CONVENTIONS.mdaider/aider.mdaider/.aider.conf.ymlollama/Modelfileollama/system-prompt.mdollama/template.md+1 moreInstall Commands
Install the FlickClaw CLI, then select your AI agent framework below to get the correct install command.
Step 1: Install CLI (one-time)
npm install -g @flickclaw/cli@latestStep 2: Select Framework
npm exec --yes @flickclaw/cli@latest -- install secret-claw --target openclawDownload as ZIP
Example Prompt
Try this prompt with Secret Claw to see what it can do:
Audit this project for security vulnerabilities. Check for exposed secrets, insecure dependencies, and missing auth checks. Produce Secrets Management Architecture Diagram, Rotation Policy Document with Automation Scripts, Secret Detection Pipeline Configuration with severity ratings.Example Output
IllustrativeWhat a typical Secret Claw report looks like:
# Secret Claw — Assessment Report **Project**: auth-service **Context**: an authentication microservice with OAuth2, JWT, and session management **Generated**: 2026-07-10 ## Executive Summary The Secret Claw completed its review of auth-service (an authentication microservice with OAuth2, JWT, and session management). 3 findings were identified with concrete remediation steps. All quality gates were verified before delivery. ## Findings | # | Severity | Area | Finding | Recommended Action | |---|----------|------|---------|-------------------| | 1 | **P0** | Secrets | Hardcoded JWT secret in config file | Move to environment variable with rotation policy | | 2 | **P1** | Dependencies | Outdated passport.js with known CVE | Upgrade to latest minor with security backports | | 3 | **P2** | Headers | Missing CSP and HSTS headers | Add security headers via middleware | ## Quality Gates - [✓] Pre-commit hooks block secrets before they reach version control - [✓] Secret rotation policy enforced with automation for all service accounts - [✓] Dynamic secrets used where supported (no long-lived static credentials) ## Outputs Generated - **Secrets Management Architecture Diagram**: Included in the report above. - **Rotation Policy Document with Automation Scripts**: Included in the report above. - **Secret Detection Pipeline Configuration**: Included in the report above. - **Access Audit Report with Just-in-Time Grant Analysis**: Included in the report above. - **Vault Migration and Adoption Roadmap**: Included in the report above. ## Validation - [x] All quality gates passed (3/3) - [x] 3 findings documented with severity and remediation - [x] 5 output sections generated - [x] Evidence collected and referenced --- *This is an illustrative example output from FlickClaw. Results vary based on project context.*