scanning-for-secrets
This skill helps you scan your codebase for exposed secrets and credentials. It uses pattern matching and entropy analysis to identify potential security vulnerabilities such as API keys, passwords, and private keys. Use this skill when you want to proactively identify and remediate exposed secrets before they are committed to version control or deployed to production. It is triggered by phrases like "scan for secrets", "check for exposed credentials", "find API keys", or "run secret scanner".
77
7%
Does it follow best practices?
Impact
90%
1.18xAverage score across 9 eval scenarios
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./backups/skills-migration-20251108-070147/plugins/security/secret-scanner/skills/secret-scanner/SKILL.mdQuality
Discovery
N/ABased on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
Something went wrong
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is essentially a marketing description rather than actionable instructions. It never provides concrete commands, tool invocation syntax, regex patterns, or executable code that Claude could use to actually scan for secrets. The content is padded with explanations of when to use the skill and generic best practices, while lacking the core technical substance needed to perform the task.
Suggestions
Replace the abstract 'How It Works' section with concrete, executable commands or code showing exactly how to invoke the secret scanner, including CLI syntax, arguments, and expected output format.
Add actual regex patterns or detection rules (e.g., for AWS keys, private keys, passwords) so Claude can perform pattern matching directly if no plugin is available.
Remove the 'When to Use', 'Best Practices', and 'Integration' sections entirely — these are generic filler that waste tokens and don't help Claude execute the task.
Add a concrete example showing actual scanner output and the expected remediation workflow, including validation that the secret has been properly removed or rotated.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is verbose and explains things Claude already knows. The 'Overview' restates the description, 'When to Use' repeats trigger phrases from metadata, 'How It Works' is vague filler, and 'Best Practices' and 'Integration' sections provide generic advice Claude doesn't need. Nearly every section could be cut or drastically shortened. | 1 / 3 |
Actionability | There is no executable code, no concrete commands, no actual tool invocation syntax, and no real configuration. The skill references a 'secret-scanner plugin' but never shows how to invoke it, what its CLI looks like, what arguments it takes, or what the output format is. The examples describe what 'the skill will do' rather than providing actionable instructions. | 1 / 3 |
Workflow Clarity | The workflow steps are abstract descriptions ('Activate the plugin', 'Generate a report') with no concrete commands, no validation checkpoints, and no error handling or feedback loops. There's no guidance on what to do if the scan fails, how to interpret results, or how to verify remediation. | 1 / 3 |
Progressive Disclosure | The content is organized into sections with headers, which provides some structure. However, there are no references to external files, no bundle files to reference, and the content is somewhat monolithic with sections that could be trimmed rather than split. For a skill with no bundle, the organization is adequate but the content itself doesn't warrant the number of sections. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Commit
13d35b8
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.