{
  "skill": {
    "id": "skl_secrets_sweep",
    "name": "secrets-sweep",
    "plugin": "cwc-legal",
    "description": "READ-ONLY secrets/PII exposure sweep for cwc-legal (wave W5.2) over the operator's OWN deployed subagent*.com fleet. Defensive security audit only: derives the live host list from cloudflare.toml's [dns] table (never a hardcoded guess), issues read-only HTTP GETs against each public endpoint (`/`, `/api`, `/llms.txt`), and scans each response with a conservative offline regex detector for Anthropic/Cloudflare/AWS keys, PEM private-key headers, write-secret-env-vars WITH an assigned value, contextual bearer tokens (a long token-looking string near an authorization/bearer/token/secret keyword), and non-public emails. Emits a deterministic, fully-redacted markdown report — no full secret or the operator's own write-secrets ever appear in the report itself. No writes, no exploitation, no auth bypass, no third-party targets. Use when the user asks to \"sweep the fleet for leaked secrets\", \"check if any worker leaks ANTHROPIC_API_KEY/cfat_/PII\", \"run the secrets sweep\", \"audit our own endpoints for exposure\", or references `secrets-sweep sweep`/`scan-file`. Do NOT use this for penetration testing, auth bypass, fuzzing, or auditing any host the operator does not own — those are out of scope for this skill and for cwc-legal generally.",
    "summary": "READ-ONLY secrets/PII exposure sweep for cwc-legal (wave W5.2) over the operator's OWN deployed subagent*.com fleet.",
    "gated": 0,
    "source_path": "plugins/cwc-legal/skills/secrets-sweep/SKILL.md",
    "created_at": "2026-07-10 18:13:13",
    "cite_as": "https://subagentskills.com/api/skills/skl_secrets_sweep"
  }
}