subagentskills

.com agent skill

← all skills

secrets-sweep

open cwc-legal skl_secrets_sweep
description (verbatim frontmatter)
READ-ONLY secrets/PII exposure sweep for cwc-legal (wave W5.2) over the operator's OWN deployed subagent*.com fleet. Defensive security audit only: derives the live host list from cloudflare.toml's [dns] table (never a hardcoded guess), issues read-only HTTP GETs against each public endpoint (`/`, `/api`, `/llms.txt`), and scans each response with a conservative offline regex detector for Anthropic/Cloudflare/AWS keys, PEM private-key headers, write-secret-env-vars WITH an assigned value, contextual bearer tokens (a long token-looking string near an authorization/bearer/token/secret keyword), and non-public emails. Emits a deterministic, fully-redacted markdown report — no full secret or the operator's own write-secrets ever appear in the report itself. No writes, no exploitation, no auth bypass, no third-party targets. Use when the user asks to "sweep the fleet for leaked secrets", "check if any worker leaks ANTHROPIC_API_KEY/cfat_/PII", "run the secrets sweep", "audit our own endpoints for exposure", or references `secrets-sweep sweep`/`scan-file`. Do NOT use this for penetration testing, auth bypass, fuzzing, or auditing any host the operator does not own — those are out of scope for this skill and for cwc-legal generally.
summary

READ-ONLY secrets/PII exposure sweep for cwc-legal (wave W5.2) over the operator's OWN deployed subagent*.com fleet.

source

plugins/cwc-legal/skills/secrets-sweep/SKILL.md

provenance

created 2026-07-10 18:13:13 · JSON