ggshield-scannerDetect 500+ types of hardcoded secrets (API keys, credentials, tokens) before they leak into git. Wraps GitGuardian's ggshield CLI.
Install via ClawdBot CLI:
clawdbot install amascia-gg/ggshield-scannerggshield is a CLI tool that detects hardcoded secrets in your codebase. This Moltbot skill brings secret scanning capabilities to your AI agent.
Secrets are sensitive credentials that should NEVER be committed to version control:
A single leaked secret can:
ggshield catches these before they reach your repository.
scan-repoScans an entire git repository for secrets (including history).
@clawd scan-repo /path/to/my/projectOutput:
š Scanning repository...
ā
Repository clean: 1,234 files scanned, 0 secrets foundOutput on detection:
ā Found 2 secrets:
- AWS Access Key ID in config/prod.py:42
- Slack API token in .env.backup:8
Use 'ggshield secret ignore --last-found' to ignore, or remove them.scan-fileScans a single file for secrets.
@clawd scan-file /path/to/config.pyscan-stagedScans only staged git changes (useful pre-commit check).
@clawd scan-stagedThis runs on your git add-ed changes only (fast!).
install-hooksInstalls ggshield as a git pre-commit hook.
@clawd install-hooksAfter this, every commit is automatically scanned:
$ git commit -m "Add config"
š Running ggshield pre-commit hook...
ā Secrets detected! Commit blocked.
Remove the secrets and try again.scan-dockerScans Docker images for secrets in their layers.
@clawd scan-docker my-app:latest
pip install ggshield>=1.15.0export GITGUARDIAN_API_KEY="your-api-key-here"clawdhub install ggshield-scannerThe skill is now available in your Moltbot workspace.
Start a new Moltbot session to pick up the skill:
moltbot start
# or via messaging: @clawd list-skillsDev: @clawd scan-repo .
Moltbot: ā
Repository clean. All good to push!
Dev: git pushDev: @clawd scan-repo ~/my-old-project
Moltbot: ā Found 5 secrets in history!
- AWS keys in config/secrets.json
- Database password in docker-compose.yml
- Slack webhook in .env.example
Moltbot: Recommendation: Rotate these credentials immediately.
Consider using git-filter-repo to remove from history.Dev: @clawd install-hooks
Moltbot: ā
Installed pre-commit hook
Dev: echo "SECRET_TOKEN=xyz" > config.py
Dev: git add config.py
Dev: git commit -m "Add config"
Moltbot: ā Pre-commit hook detected secret!
Dev: rm config.py && git reset
Dev: (add config to .gitignore and to environment variables instead)
Dev: git commit -m "Add config" # Now works!Dev: @clawd scan-docker my-api:v1.2.3
Moltbot: ā
Docker image cleanThese are required for the skill to work:
| Variable | Value | Where to Set |
| :-- | :-- | :-- |
| GITGUARDIAN_API_KEY | Your API key from https://dashboard.gitguardian.com | ~/.bashrc or ~/.zshrc |
| GITGUARDIAN_ENDPOINT | https://api.gitguardian.com (default, optional) | Usually not needed |
Create ~/.gitguardian/.gitguardian.yml for persistent settings:
verbose: false
output-format: json
exit-code: trueFor details: https://docs.gitguardian.com/ggshield-docs/
ā ONLY metadata is sent:
ā NEVER sent:
Reference: GitGuardian Enterprise customers can use on-premise scanning with no data sent anywhere.
ggshield uses:
ggshield is not installed or not in your PATH.
Fix:
pip install ggshield
which ggshield # Should return a pathThe environment variable is not set.
Fix:
export GITGUARDIAN_API_KEY="your-key"
# For persistence, add to ~/.bashrc or ~/.zshrc:
echo 'export GITGUARDIAN_API_KEY="your-key"' >> ~/.bashrc
source ~/.bashrcAPI key is invalid or expired.
Fix:
# Test the API key
ggshield auth status
# If invalid, regenerate at https://dashboard.gitguardian.com ā API Tokens
# Then: export GITGUARDIAN_API_KEY="new-key"Scanning a 50GB monorepo takes time. ggshield is doing a lot of work.
Workaround:
# Scan only staged changes (faster):
@clawd scan-staged
# Or specify a subdirectory:
@clawd scan-file ./app/config.pySometimes ggshield flags a string that's NOT a secret (e.g., a test key):
# Ignore the last secret found
ggshield secret ignore --last-found
# Ignore all in a file
ggshield secret ignore --path ./config-example.pyThis creates .gitguardian/config.json with ignore rules.
You can add secret scanning to GitHub Actions / GitLab CI:
# .github/workflows/secret-scan.yml
name: Secret Scan
on: [push]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- run: pip install ggshield
- run: ggshield secret scan repo .
env:
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}If your company uses GitGuardian Enterprise, you can scan without sending data to the cloud:
export GITGUARDIAN_ENDPOINT="https://your-instance.gitguardian.com"
export GITGUARDIAN_API_KEY="your-enterprise-key"MIT License - See LICENSE file
Version: 1.0.0
Last updated: January 2026
Maintainer: GitGuardian
Generated Mar 1, 2026
Development teams integrate ggshield as a pre-commit hook to automatically scan staged changes for secrets before commits, preventing accidental leaks into version control. This ensures code quality and compliance with security policies, reducing incident response costs.
Organizations audit existing codebases to identify historical secrets, such as AWS keys or database passwords, enabling credential rotation and remediation. This mitigates risks from past oversights and supports regulatory compliance like GDPR.
DevOps teams embed ggshield into continuous integration pipelines to scan code during builds, providing automated feedback on pull requests. This scales secret detection across large projects and enforces security standards.
Containerized application developers scan Docker images for embedded secrets in layers before deployment, preventing exposure in production environments. This complements infrastructure-as-code security practices.
Security consultants use ggshield to assess external or open-source code for hardcoded secrets during vendor audits, helping clients avoid supply chain vulnerabilities. This supports due diligence in partnerships.
GitGuardian offers a free tier for basic scanning with limited features, driving user adoption, while premium tiers provide advanced detection, team management, and enterprise support. Revenue comes from subscription fees based on scan volume and integrations.
Large organizations purchase enterprise licenses for on-premise deployment, custom integrations, and dedicated support, ensuring data privacy and compliance. This model targets regulated industries like finance and healthcare.
The skill is distributed through platforms like Clawdhub, where developers install it as part of their AI agent toolkit, potentially generating revenue via marketplace commissions or upsells to premium services. This leverages community growth.
š¬ Integration Tip
Ensure ggshield CLI and API key are properly installed and set in environment variables before using the skill; test with a small file first to verify functionality.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
Perform a comprehensive read-only security audit of Clawdbot's own configuration. This is a knowledge-based skill that teaches Clawdbot to identify hardening opportunities across the system. Use when user asks to "run security check", "audit clawdbot", "check security hardening", or "what vulnerabilities does my Clawdbot have". This skill uses Clawdbot's internal capabilities and file system access to inspect configuration, detect misconfigurations, and recommend remediations. It is designed to be extensible - new checks can be added by updating this skill's knowledge.
Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.
Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data exfiltration, system modification attempts, backdoors, and obfuscation techniques.