scanning-for-secrets

Name: scanning-for-secrets
Rating: 66 (1 reviews)
Author: jeremylongshore

tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill scanning-for-secrets

github.com/jeremylongshore/claude-code-plugins-plus-skills

This skill helps you scan your codebase for exposed secrets and credentials. It uses pattern matching and entropy analysis to identify potential security vulnerabilities such as API keys, passwords, and private keys. Use this skill when you want to proactively identify and remediate exposed secrets before they are committed to version control or deployed to production. It is triggered by phrases like "scan for secrets", "check for exposed credentials", "find API keys", or "run secret scanner".

Review Score

66%

Validation Score

11/16

Implementation Score

35%

Activation Score

100%

SKILL.md

Review

Evals

Generated

12 days ago

Warnings & errors only

Criteria	Score
description_voice	'description' should use third person voice; found second person: 'your '
description_trigger_hint	Description may be missing an explicit 'when to use' trigger hint (e.g., 'Use when...')
metadata_version	'metadata' field is not a dictionary
license_field	'license' field is missing
body_output_format	No obvious output/return/format terms detected; consider specifying expected outputs

Overall Assessment

This skill content reads more like documentation about what a feature does rather than actionable instructions for Claude. It lacks any executable code, concrete commands, or specific syntax for invoking the secret-scanner plugin. The content is moderately organized but verbose, explaining concepts rather than providing copy-paste ready guidance.

Suggestions

Add concrete command syntax or code showing how to invoke the secret-scanner plugin (e.g., `secret-scanner scan --path ./src`)
Include an example of actual scanner output format so Claude knows what to expect and how to interpret results
Remove the 'How It Works' and 'When to Use' sections - these duplicate the description and explain rather than instruct
Add validation steps: what to do if the scanner fails, how to verify remediation was successful

Dimension	Score	Reasoning
Conciseness	2/3	The content includes some unnecessary explanation (e.g., 'This skill enables Claude to scan...' and 'How It Works' section that describes what Claude would do rather than instructing). The 'When to Use' section largely duplicates the description. Could be tightened significantly.
Actionability	1/3	No concrete code, commands, or executable guidance provided. The skill describes what will happen ('The skill will activate the plugin') but never shows how to actually invoke the scanner, what commands to run, or what the output format looks like. References a 'secret-scanner plugin' without showing usage syntax.
Workflow Clarity	2/3	Steps are listed in a sequence (Initiate -> Analysis -> Report), but there are no validation checkpoints, no error handling guidance, and no concrete feedback loops for when secrets are found. The remediation steps are mentioned but not detailed.
Progressive Disclosure	2/3	Content is reasonably organized with clear sections, but everything is inline in one file. For a skill of this complexity, the structure is acceptable, but the 'Best Practices' and 'Integration' sections add bulk without providing actionable detail that would warrant separate files.

Overall Assessment

This is a strong skill description that clearly articulates what the skill does (secret scanning with pattern matching and entropy analysis), when to use it (before commits/deployment), and includes explicit trigger phrases. The only minor issue is the use of second person ('helps you', 'you want') which should be third person per guidelines, but the content quality is otherwise excellent.

Dimension	Score	Reasoning
Specificity	3/3	Lists multiple specific concrete actions: 'scan your codebase for exposed secrets', 'pattern matching and entropy analysis', identifies specific items like 'API keys, passwords, and private keys'.
Completeness	3/3	Clearly answers both what (scan codebase for secrets using pattern matching and entropy analysis) AND when (explicit 'Use this skill when...' clause plus 'triggered by phrases like...' section).
Trigger Term Quality	3/3	Explicitly lists natural trigger phrases users would say: 'scan for secrets', 'check for exposed credentials', 'find API keys', 'run secret scanner' - these are realistic user queries.
Distinctiveness Conflict Risk	3/3	Clear security-focused niche with distinct triggers around secrets, credentials, and API keys. Unlikely to conflict with general code analysis or other security skills due to specific terminology.