scanning-for-secrets
This skill helps you scan your codebase for exposed secrets and credentials. It uses pattern matching and entropy analysis to identify potential security vulnerabilities such as API keys, passwords, and private keys. Use this skill when you want to proactively identify and remediate exposed secrets before they are committed to version control or deployed to production. It is triggered by phrases like "scan for secrets", "check for exposed credentials", "find API keys", or "run secret scanner".
Install with Tessl CLI
npx tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill scanning-for-secrets66
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly articulates what the skill does (secret scanning with pattern matching and entropy analysis), when to use it (before commits/deployment), and includes explicit trigger phrases. The only minor issue is the use of second person ('helps you', 'you want') which should be third person per guidelines, but the content quality is otherwise excellent.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'scan your codebase for exposed secrets', 'pattern matching and entropy analysis', identifies specific items like 'API keys, passwords, and private keys'. | 3 / 3 |
Completeness | Clearly answers both what (scan codebase for secrets using pattern matching and entropy analysis) AND when (explicit 'Use this skill when...' clause plus 'triggered by phrases like...' section). | 3 / 3 |
Trigger Term Quality | Explicitly lists natural trigger phrases users would say: 'scan for secrets', 'check for exposed credentials', 'find API keys', 'run secret scanner' - these are realistic user queries. | 3 / 3 |
Distinctiveness Conflict Risk | Clear security-focused niche with distinct triggers around secrets, credentials, and API keys. Unlikely to conflict with general code analysis or other security skills due to specific terminology. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
35%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill content reads more like documentation about what a feature does rather than actionable instructions for Claude. It lacks any executable code, concrete commands, or specific syntax for invoking the secret-scanner plugin. The content is moderately organized but verbose, explaining concepts rather than providing copy-paste ready guidance.
Suggestions
Add concrete command syntax or code showing how to invoke the secret-scanner plugin (e.g., `secret-scanner scan --path ./src`)
Include an example of actual scanner output format so Claude knows what to expect and how to interpret results
Remove the 'How It Works' and 'When to Use' sections - these duplicate the description and explain rather than instruct
Add validation steps: what to do if the scanner fails, how to verify remediation was successful
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content includes some unnecessary explanation (e.g., 'This skill enables Claude to scan...' and 'How It Works' section that describes what Claude would do rather than instructing). The 'When to Use' section largely duplicates the description. Could be tightened significantly. | 2 / 3 |
Actionability | No concrete code, commands, or executable guidance provided. The skill describes what will happen ('The skill will activate the plugin') but never shows how to actually invoke the scanner, what commands to run, or what the output format looks like. References a 'secret-scanner plugin' without showing usage syntax. | 1 / 3 |
Workflow Clarity | Steps are listed in a sequence (Initiate -> Analysis -> Report), but there are no validation checkpoints, no error handling guidance, and no concrete feedback loops for when secrets are found. The remediation steps are mentioned but not detailed. | 2 / 3 |
Progressive Disclosure | Content is reasonably organized with clear sections, but everything is inline in one file. For a skill of this complexity, the structure is acceptable, but the 'Best Practices' and 'Integration' sections add bulk without providing actionable detail that would warrant separate files. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
68%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 16 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
description_voice | 'description' should use third person voice; found second person: 'your ' | Warning |
description_trigger_hint | Description may be missing an explicit 'when to use' trigger hint (e.g., 'Use when...') | Warning |
metadata_version | 'metadata' field is not a dictionary | Warning |
license_field | 'license' field is missing | Warning |
body_output_format | No obvious output/return/format terms detected; consider specifying expected outputs | Warning |
Total | 11 / 16 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.