SR
SKILLRADAR
AI Security • Benchmarking • Index
Menu
Trust Report v1

openclaw-secret-scanning-maintainer

Triage, redact, clean up, and resolve OpenClaw GitHub Secret Scanning alerts in issues or PRs.

Overall
67
Trust
39
Utility
88
Momentum
95

Install caution

High-risk behavior present

Risk: High

Source: OpenClaw Built-in Skills

Path: .agents/skills/openclaw-secret-scanning-maintainer/SKILL.md

Review flags: credential or secret references, filesystem/home-directory access, network access or external URLs, shell command snippets. These are review signals, not definitive security judgments; inspect before installing.

Required permissions

  • Environment variables / secrets
  • Shell commands
  • Network/API usage
  • Filesystem/home access

Permissions are inferred from SKILL.md text only. They are review prompts, not guarantees about runtime behavior.

Risk flags explained

credential_or_secret_referencehigh

Mentions tokens, API keys, passwords, or private-key style environment variables.

filesystem_write_or_home_accessmedium

Mentions filesystem writes, deletes, home-directory paths, or config/key locations.

network_accessmedium

Mentions external URLs, network APIs, downloads, or HTTP client usage.

shell_commandmedium

Contains shell command snippets. Review commands before copy/paste or agent execution.

Score explanation

Trust

  • Trust starts at 90 before review-signal penalties and metadata bonuses.
  • Risk-signal penalty: -53 from 4 detected flag(s).
  • Metadata bonus: +2 from author/version/description fields.

Utility

  • Utility starts at 55 and rewards clear descriptions, runnable examples, and explicit setup needs.
  • Description present: yes.
  • Command examples detected: 14.
  • Environment variables detected: 2.

Momentum

  • Momentum starts at 45 and uses public repo activity signals.
  • Recent commit activity: latest repo update was 0 day(s) ago.
  • Recent commit volume: 100 commit(s) in the lookback window (+20).
  • Source has strong public adoption: 379781 stars.
  • Fork activity suggests reuse: 79500 forks.

Overall

  • Overall score weights trust 45%, utility 35%, and momentum 20%.

Detected signals

Env vars

  • API
  • SECRET_TYPES

Commands

  • https://github.com/openclaw/openclaw/security/secret-scanning
  • node secret-scanning.mjs delete-comment <COMMENT_ID>
  • node secret-scanning.mjs delete-discussion-comment <COMMENT_NODE_ID>
  • node secret-scanning.mjs fetch-alert <NUMBER>
  • node secret-scanning.mjs fetch-content '<location-json>'
  • node secret-scanning.mjs list-open
  • node secret-scanning.mjs notify <TARGET> <AUTHOR> <LOCATION_TYPE> <SECRET_TYPES> [REPLY_TO_NODE_ID|BODY_REDACTION_RESULT_FILE]
  • node secret-scanning.mjs recreate-comment <ISSUE_NUMBER> <body-file>
  • node secret-scanning.mjs recreate-discussion-comment <DISCUSSION_NODE_ID> <body-file> [REPLY_TO_NODE_ID]
  • node secret-scanning.mjs redact-body-if-needed <issue|pr> <NUMBER> <current-body-file> <redacted-body-file> <result-file>
  • node secret-scanning.mjs resolve <ALERT_NUMBER>
  • node secret-scanning.mjs resolve <ALERT_NUMBER> revoked "Current issue/PR body is already redacted; no public notification posted."

URLs

  • https://github.com/openclaw/openclaw/issues/63101#issuecomment-xxx
  • https://github.com/openclaw/openclaw/security/secret-scanning`.
  • https://support.github.com/contact

Provenance & evidence

SkillRadar makes each review traceable back to the exact source path, source blob SHA, scanner version, and text-only policy that produced the report.

source
github.com/openclaw/openclaw@main
path
.agents/skills/openclaw-secret-scanning-maintainer/SKILL.md
source blob SHA
a1e5316d2f2aebcf0af8d436f764f2488bbd9b84
scanner version
0.3.0
security model
text_only_no_execute_no_install_no_secrets
scan policy
Fetched and scored as text only; no install, no execution, no runtime loading.

Evidence snippets

credential_or_secret_reference

…tep 5: Notify ```bash node secret-scanning.mjs notify <TARGET> <AUTHOR> <LOCATION_TYPE> <SECRET_TYPES> [REPLY_TO_NODE_ID|BODY_REDACTION_RESULT_FILE] ``` - For non-discussion types, `<TARGET>…

filesystem_write_or_home_access

…**Maintainer-only.** This skill requires repo admin / maintainer permissions to edit or delete other users' comments and resolve secret scanning alerts. Use this skill when processing…

network_access

…comments and resolve secret scanning alerts. Use this skill when processing alerts from `https://github.com/openclaw/openclaw/security/secret-scanning`. **Language rule:** All notificati…

shell_command

…loses the alert 7. **Summary** — `summary` prints formatted results ## Step 1: Identify ```bash # List all open alerts node secret-scanning.mjs list-open # Fetch specific alert metadat…

Watch this skill

Get alerted when this skill adds credential requirements, shell commands, external domains, remote installer patterns, or risk-level changes.

Join watchlist beta

Methodology note

SkillRadar scans SKILL.md as hostile text only. It does not execute commands, install packages, or load third-party skills.

View source SKILL.mdBack to changesView sources