Stats
Actions
Tags
From superpowers-plus
Scans wiki pages for exposed credentials, API keys, tokens, and private keys. Use during security reviews or after incidents involving wiki content.
How this skill is triggered — by the user, by Claude, or both
Slash command
/superpowers-plus:wiki-secret-auditThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Scan wiki pages for exposed credentials, tokens, and keys. Wrong skill? Code
Scan wiki pages for exposed credentials, tokens, and keys. Wrong skill? Code
repos → repo-security-scan · Wiki-sourced instruction safety →
wiki-instruction-guard · Version claims → wiki-verify.
scan wiki for secrets, audit wiki for credentials, find leaked tokens in wiki, wiki security scanrepo-security-scan · Claim accuracy → wiki-verifyscan.md# Single page:
tools/wiki-read.sh get "$PAGE_ID" | jq -r '.text' > scan.md
# Bulk (search or list): pipe through get to assemble one corpus
tools/wiki-read.sh {search '"password" OR "api key"' --limit 50|list --collection "$UUID" --limit 500} \
| jq -r '.[].id' | while read id; do
tools/wiki-read.sh get "$id" | jq -r '"== " + .url + " ==\n" + .text'
done > scan.md
grep -n -E -i '(Server|Data Source)=[^;]*Password=[^;]+|\
(postgres|mysql|mongodb|redis)://[^:]+:[^@]+@|\
password[[:space:]]*[:=][[:space:]]*["'"'"']?[A-Za-z0-9_!@#$%^&*()-]{8,}|\
Bearer[[:space:]]+[A-Za-z0-9_-]{20,}|\
(api[_-]?key|apikey)[[:space:]]*[:=][[:space:]]*["'"'"']?[A-Za-z0-9_-]{20,}|\
-----BEGIN[[:space:]]+(RSA|EC|OPENSSH)?[[:space:]]*PRIVATE[[:space:]]+KEY-----|\
AKIA[0-9A-Z]{16}|sk-[A-Za-z0-9]{32,}|\
gh[pousr]_[A-Za-z0-9]{30,}|xox[baprs]-[A-Za-z0-9-]{10,}|\
sk_live_[A-Za-z0-9]{20,}' scan.md \
| grep -v -E '\$\{?[A-Z_]+\}?|process\.env\.|\[REDACTED\]|<YOUR_' \
| tee findings.txt
Exit 0 + empty findings.txt → clean. Non-empty → report + remediate.
Report each finding as <url>:<line>: <pattern> — <preview>. Then remediate
in this order: (1) redact in wiki via tools/wiki-write.sh update;
(2) rotate the upstream credential; (3) audit access logs; (4) notify owner.
Env refs ($VAR, ${VAR}, process.env.VAR) · placeholders ([REDACTED],
<YOUR_VALUE>, xxx...) · docs guidance ("password must be 8+ chars").
Development setup · environment configuration · architecture docs · runbooks · personal notes sections.
| Failure | Fix |
|---|---|
| Obfuscated secrets (base64, url-encoded) | Grep additionally for high-entropy blocks ≥40 chars |
| Page history not scanned | wiki-read.sh get returns current only; use adapter's revision tool |
| Custom-format internal token missed | Add org regex to the grep alternation above |
wiki-write.sh exit 1 on redaction | STOP; ask user; do not retry |
Related: skills/_shared/secret-detection.md
npx claudepluginhub bordenet/superpowers-plus --plugin superpowers-plusGuides creation, editing, and verification of skills for AI coding agents using test-driven development with subagent scenarios. Use when authoring or debugging skills.