OpenClaw Secret Scanning Maintainer

Maintainer-only. This skill requires repo admin / maintainer permissions to edit or delete other users' comments and resolve secret scanning alerts.

Use this skill when processing alerts from https://github.com/openclaw/openclaw/security/secret-scanning.

Language rule: All notification comments and replacement comments MUST be written in English.

Script

All mechanical operations (API calls, temp file management, security enforcements) are handled by:

$REPO_ROOT/.agents/skills/openclaw-secret-scanning-maintainer/scripts/secret-scanning.mjs

The script enforces:

• hide_secret=true on all alert fetches (no plaintext secrets in stdout)
• mktemp with random UUIDs for all temp files
• -F body=@file for all body uploads (no inline shell quoting)
• Notification templates branched by location type
• Never prints .secret or .body to stdout

Overall Flow

Supports single or multiple alerts. For multiple alerts, process in ascending order.

For each alert:

1. Identify — fetch-alert + fetch-content to get metadata and body
2. Decide — Agent reads the body file, identifies whether plaintext secrets remain, and produces a redacted version only when needed
3. Redact — redact-body-if-needed for issue/PR body; skip for comments (delete directly)
4. Purge — delete-comment + recreate-comment for comments; cannot purge body history
5. Notify — notify posts the right template per location type, unless the current issue/PR body is already redacted
6. Resolve — resolve closes the alert
7. Summary — summary prints formatted results

Step 1: Identify

# List all open alerts
node secret-scanning.mjs list-open

# Fetch specific alert metadata + locations
node secret-scanning.mjs fetch-alert <NUMBER>

# Fetch content for each location (saves body to temp file)
node secret-scanning.mjs fetch-content '<location-json>'

The fetch-content output includes:

• body_file: path to temp file with full body content
• author: who posted it
• issue_number / pr_number: where it is
• edit_history_count: number of existing edits
• type: location type for routing
• For discussion_comment, it also includes comment_node_id, discussion_node_id, and reply_to_node_id when the original comment was a reply.

Location type routing

Step 2: Decide (Agent)

The agent reads the body file from fetch-content output and:

1. Identifies ALL secrets in the content (there may be more than the alert flagged)
2. Determines whether any plaintext credential remains in the current body
3. Replaces each remaining secret with [REDACTED <secret_type>] — no partial values, no prefix/suffix
4. Saves the redacted content to a new temp file

This is the only step that requires semantic understanding. Everything else is mechanical.

For issue_body and pull_request_body: if the current body has already been redacted by the author and no plaintext credential remains, do not post a public notification comment. Resolve the alert with a maintainer-only resolution comment such as:

…