Is lxgicstudios/secret-scanner safe?

https://github.com/openclaw/skills/tree/main/skills/lxgicstudios/secret-scanner

76
CAUTION

This secret scanner tool performs its stated function but has a critical flaw: it sends detected secrets to OpenAI for analysis, creating a data exfiltration risk. While the tool's core purpose is legitimate, users should be aware that any secrets found will be transmitted to a third-party API.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 40/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 80/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (3)

CRITICAL Secrets sent to external API -50

The tool sends detected secrets to OpenAI's API for analysis via the aiAnalyze function. This means any secrets found in the user's codebase are transmitted to a third-party service, creating a significant data exfiltration risk.

MEDIUM Access to sensitive files -10

The tool accessed sensitive files including .env, SSH private keys, and AWS credentials. While expected behavior for a secret scanner, this creates risk if the tool is malicious.

LOW External URLs in documentation -5

The SKILL.md contains external URLs to social media and websites which could theoretically be used for redirection attacks.