Secret Protection

Name: Secret Protection
Author: itallstartedwithaidea

itallstartedwithaidea/agent-skills

Stop API keys and credentials from landing in git, CI artifacts, logs, or agent chat through scanning, hooks, and runtime redaction.

Install

npx skills add https://github.com/itallstartedwithaidea/agent-skills --skill secret-protection

What is this skill?

Three-ring protection: pre-commit, CI/CD, and runtime detection with independent fallbacks
Zero-tolerance policy for secrets in code, config, logs, and AI conversation history
.env scanning and pre-commit hooks before version control
Secret rotation policies plus redaction in logs and error surfaces
Framed around rapid exploitation risk after public credential exposure

Adoption & trust: 1 installs on skills.sh; 18 GitHub stars; 3/3 security scanners passed (skills.sh audits); trending (+100% hot-view momentum).

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

Canonical shelf is Ship because the skill enforces security gates across commit, CI/CD, and production-adjacent leakage—not optional polish during casual ideation. Security subphase matches secret scanning, rotation policy, and zero-tolerance for credentials in code and agent outputs.

Common Questions / FAQ

Is Secret Protection safe to install?

skills.sh reports 3 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.

SKILL.md

READMESKILL.md - Secret Protection

# Secret Protection

Part of [Agent Skills™](https://github.com/itallstartedwithaidea/agent-skills) by [googleadsagent.ai™](https://googleadsagent.ai)

## Description

Secret Protection prevents credential leaks across the development lifecycle through `.env` scanning, pre-commit hooks, secret rotation policies, and runtime detection. The agent enforces a zero-tolerance policy for secrets in code, configuration, logs, or AI conversation history—catching leaks before they reach version control, CI artifacts, or production logs.

Secrets in source code are the most common cause of security breaches in modern applications. A single committed API key can compromise an entire cloud account within minutes of being pushed to a public repository. Automated bots continuously scan GitHub for exposed credentials, and the average time from commit to exploitation is under 15 minutes. This skill prevents that by intercepting secrets at every stage.

The protection operates in three rings: pre-commit (prevent secrets from entering the repository), CI/CD (catch secrets that bypass pre-commit), and runtime (detect and redact secrets in logs, error messages, and AI agent outputs). Each ring is independent—if one fails, the next catches the leak. Secret rotation is enforced on a schedule, ensuring that even an undetected exposure has a limited blast radius.

## Use When

- Setting up a new repository with proper secret management
- Adding pre-commit hooks to prevent credential leaks
- Auditing existing repositories for committed secrets
- Configuring CI/CD pipelines with secret scanning gates
- Implementing secret rotation policies
- Preventing agents from exposing secrets in their outputs

## How It Works

```mermaid
graph TD
    A[Developer / Agent Writes Code] --> B[Ring 1: Pre-Commit Hook]
    B --> C{Secrets Detected?}
    C -->|Yes| D[Block Commit + Alert]
    C -->|No| E[Allow Commit]
    E --> F[Ring 2: CI/CD Scan]
    F --> G{Secrets in Diff?}
    G -->|Yes| H[Fail Pipeline + Alert]
    G -->|No| I[Continue Pipeline]
    I --> J[Ring 3: Runtime Detection]
    J --> K[Redact Secrets in Logs]
    J --> L[Redact Secrets in Agent Output]
    K --> M[Production Safe]
    L --> M
    N[Rotation Schedule] --> O[Rotate Keys Monthly]
    O --> P[Update Secrets Manager]
    P --> Q[Deploy Updated References]
```

Three independent rings ensure that a secret leak must bypass all three layers to cause damage. The rotation schedule limits the blast radius of any undetected exposure.

## Implementation

```yaml
# .pre-commit-config.yaml
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.0
    hooks:
      - id: gitleaks

  - repo: local
    hooks:
      - id: dotenv-check
        name: Check .env files not committed
        entry: bash -c 'git diff --cached --name-only | grep -E "\.env($|\.)" && exit 1 || exit 0'
        language: system
        pass_filenames: false
```

```python
import re
from dataclasses import dataclass

@dataclass
class SecretPattern:
    name: str
    pattern: str
    severity: str

SECRET_PATTERNS = [
    SecretPattern("AWS Access Key", r"AKIA[0-9A-Z]{16}", "CRITICAL"),
    SecretPattern("AWS Secret Key", r"(?i)aws_secret_access_key\s*=\s*[A-Za-z0-9/+=]{40}", "CRITICAL"),
    SecretPattern("GitHub Token", r"gh[ps]_[A-Za-z0-9_]{36,}", "CRITICAL"),
    SecretPattern("Generic API Key", r"(?i)(api[_-]?key|apikey)\s*[:=]\s*['\"][A-Za-z0-9]{20,}['\"]", "HIGH"),
    SecretPattern("Private Key", r"-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----", "CRITICAL"),
    SecretPattern("Cloudflare Token", r"(?i)cloudflare.*(?:token|key)\s*[:=]\s*['\"][A-Za-z0-9_-]{40,}['\"]", "CRITICAL"),
    SecretPattern("JWT Token", r"eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}", "HIGH"),
    SecretPatte

What is this skill?

Three-ring protection: pre-commit, CI/CD, and runtime detection with independent fallbacks

Zero-tolerance policy for secrets in code, config, logs, and AI conversation history

.env scanning and pre-commit hooks before version control

Secret rotation policies plus redaction in logs and error surfaces

Framed around rapid exploitation risk after public credential exposure

Adoption & trust: 1 installs on skills.sh; 18 GitHub stars; 3/3 security scanners passed (skills.sh audits); trending (+100% hot-view momentum).

Journey fit

Primary fit

SKILL.md

READMESKILL.md - Secret Protection

# Secret Protection

Part of [Agent Skills™](https://github.com/itallstartedwithaidea/agent-skills) by [googleadsagent.ai™](https://googleadsagent.ai)

## Description

Secret Protection prevents credential leaks across the development lifecycle through `.env` scanning, pre-commit hooks, secret rotation policies, and runtime detection. The agent enforces a zero-tolerance policy for secrets in code, configuration, logs, or AI conversation history—catching leaks before they reach version control, CI artifacts, or production logs.

Secrets in source code are the most common cause of security breaches in modern applications. A single committed API key can compromise an entire cloud account within minutes of being pushed to a public repository. Automated bots continuously scan GitHub for exposed credentials, and the average time from commit to exploitation is under 15 minutes. This skill prevents that by intercepting secrets at every stage.

The protection operates in three rings: pre-commit (prevent secrets from entering the repository), CI/CD (catch secrets that bypass pre-commit), and runtime (detect and redact secrets in logs, error messages, and AI agent outputs). Each ring is independent—if one fails, the next catches the leak. Secret rotation is enforced on a schedule, ensuring that even an undetected exposure has a limited blast radius.

## Use When

- Setting up a new repository with proper secret management
- Adding pre-commit hooks to prevent credential leaks
- Auditing existing repositories for committed secrets
- Configuring CI/CD pipelines with secret scanning gates
- Implementing secret rotation policies
- Preventing agents from exposing secrets in their outputs

## How It Works

```mermaid
graph TD
    A[Developer / Agent Writes Code] --> B[Ring 1: Pre-Commit Hook]
    B --> C{Secrets Detected?}
    C -->|Yes| D[Block Commit + Alert]
    C -->|No| E[Allow Commit]
    E --> F[Ring 2: CI/CD Scan]
    F --> G{Secrets in Diff?}
    G -->|Yes| H[Fail Pipeline + Alert]
    G -->|No| I[Continue Pipeline]
    I --> J[Ring 3: Runtime Detection]
    J --> K[Redact Secrets in Logs]
    J --> L[Redact Secrets in Agent Output]
    K --> M[Production Safe]
    L --> M
    N[Rotation Schedule] --> O[Rotate Keys Monthly]
    O --> P[Update Secrets Manager]
    P --> Q[Deploy Updated References]
```

Three independent rings ensure that a secret leak must bypass all three layers to cause damage. The rotation schedule limits the blast radius of any undetected exposure.

## Implementation

```yaml
# .pre-commit-config.yaml
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.0
    hooks:
      - id: gitleaks

  - repo: local
    hooks:
      - id: dotenv-check
        name: Check .env files not committed
        entry: bash -c 'git diff --cached --name-only | grep -E "\.env($|\.)" && exit 1 || exit 0'
        language: system
        pass_filenames: false
```

```python
import re
from dataclasses import dataclass

@dataclass
class SecretPattern:
    name: str
    pattern: str
    severity: str

SECRET_PATTERNS = [
    SecretPattern("AWS Access Key", r"AKIA[0-9A-Z]{16}", "CRITICAL"),
    SecretPattern("AWS Secret Key", r"(?i)aws_secret_access_key\s*=\s*[A-Za-z0-9/+=]{40}", "CRITICAL"),
    SecretPattern("GitHub Token", r"gh[ps]_[A-Za-z0-9_]{36,}", "CRITICAL"),
    SecretPattern("Generic API Key", r"(?i)(api[_-]?key|apikey)\s*[:=]\s*['\"][A-Za-z0-9]{20,}['\"]", "HIGH"),
    SecretPattern("Private Key", r"-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----", "CRITICAL"),
    SecretPattern("Cloudflare Token", r"(?i)cloudflare.*(?:token|key)\s*[:=]\s*['\"][A-Za-z0-9_-]{40,}['\"]", "CRITICAL"),
    SecretPattern("JWT Token", r"eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}", "HIGH"),
    SecretPatte

Install

What is this skill?

Recommended Skills

Journey fit

Is Secret Protection safe to install?

SKILL.md

This week for builders

Install

What is this skill?

Recommended Skills

Journey fit

Is Secret Protection safe to install?

SKILL.md