Stats
Actions
Tags
From soundcheck
Detects API keys, passwords, tokens, and credentials embedded in source code, config files, and test fixtures. Flags hardcoded secrets that could be exposed via version control.
How this skill is triggered — by the user, by Claude, or both
Slash command
/soundcheck:hardcoded-secretsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Protects against credentials, API keys, and secrets embedded directly in source code.
Protects against credentials, API keys, and secrets embedded directly in source code. Hardcoded secrets end up in version control history, build artifacts, and container images. Once committed, secrets are effectively public — even if the commit is reverted, the secret remains in git history.
Flag the hardcoded secret and explain the risk. Translate the principles below to the audited file's language and deployment environment — use that stack's documented secret loader, env-var helper, or secrets-manager client.
For each finding, establish these properties:
npx claudepluginhub thejefflarson/soundcheck --plugin soundcheckDetects hardcoded secrets, API keys, credentials, tokens, and private keys in source code and git history using regex patterns for pentesting and code reviews.
This skill should be used when the user asks to "find hardcoded secrets", "audit for credential leaks", "check for API keys in code", "review secret scanning alerts", "rotate a leaked secret", or needs to detect hardcoded credentials, review secret handling patterns, or remediate exposed secrets.
Scans code, git history, and configs for secrets like API keys, cloud credentials, private keys, and DB strings using regex, entropy, and context. Assesses severity and generates remediation reports.