secrets-scan
Detect hardcoded credentials, API keys, tokens, and secrets in source code and configuration files. Use when reviewing code for leaked secrets before commit/merge, auditing a repository for credential exposure, or setting up secret detection.
73
89%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines specific capabilities (detecting credentials, API keys, tokens, secrets), uses natural trigger terms users would actually say, and explicitly states both what the skill does and when to use it. It occupies a well-defined niche that is unlikely to conflict with other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Detect hardcoded credentials, API keys, tokens, and secrets in source code and configuration files.' These are concrete, enumerated capabilities. | 3 / 3 |
Completeness | Clearly answers both what ('Detect hardcoded credentials, API keys, tokens, and secrets in source code and configuration files') and when ('Use when reviewing code for leaked secrets before commit/merge, auditing a repository for credential exposure, or setting up secret detection'). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'hardcoded credentials', 'API keys', 'tokens', 'secrets', 'leaked secrets', 'commit/merge', 'credential exposure', 'secret detection'. These are all terms a user would naturally use when needing this skill. | 3 / 3 |
Distinctiveness Conflict Risk | Occupies a clear niche around secret/credential detection in code. The specific trigger terms like 'hardcoded credentials', 'API keys', 'leaked secrets', and 'secret detection' are highly distinctive and unlikely to conflict with general code review or security skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
79%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-crafted, concise skill that provides highly actionable guidance for secret detection with specific tools, commands, and patterns. Its main weaknesses are the lack of an explicit validation/feedback loop for confirming remediation of discovered secrets, and references to bundle files (plays/secrets-scan.md, templates/finding.md) that aren't provided, making the progressive disclosure structure unverifiable.
Suggestions
Add a verification step after rotation actions (e.g., 'Confirm rotated credentials work and old ones are invalidated') to close the feedback loop for this security-critical workflow.
Provide the referenced `templates/finding.md` and `plays/tier1-code-analysis/secrets-scan.md` as bundle files, or inline a minimal finding template so the skill is self-contained.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Every line serves a purpose. No unnecessary explanations of what secrets are or why they matter. The tool commands, patterns, and file lists are all actionable reference material Claude wouldn't inherently know (specific token prefixes, tool flags, high-risk filenames). | 3 / 3 |
Actionability | Provides concrete, executable commands for multiple scanner tools with specific flags, lists exact regex-matchable patterns (AKIA, sk-, ghp_, etc.), names specific high-risk files, and gives clear contextual analysis criteria. The guidance is specific and directly usable. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced (automated scan → manual patterns → contextual analysis → preventive controls), but there's no explicit validation/feedback loop. For a security scanning workflow, there should be a verification step confirming findings are triaged and rotation is confirmed, especially since active production secrets are flagged as requiring immediate action. | 2 / 3 |
Progressive Disclosure | References `plays/tier1-code-analysis/secrets-scan.md` and `templates/finding.md` for deeper content, which is good progressive disclosure structure. However, no bundle files are provided, so these references are unverifiable. The SKILL.md itself is well-organized with clear sections, but the referenced files' absence makes navigation incomplete. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- OWASP/secure-agent-playbook
- Commit
3f4fcb6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.