security: introduce secret detection for clawd

[Hyaxia]

Context
right now nothing is stopping clawd from publishing secrets to a public repo, unless he is able to notice it which is not something we can rely on.

Proposed Solution
we already have good tooling around this issue which is introduced in many companies as part of CI.
we can pretty easily add it for clawd as well in the form of a "git hook" which will force clawd to prompt the user for confirmation before actually publishing it

[Hyaxia]

"""

its a good question. i wonder if there are more generic solutions that other models are using? like it seems like we wont be the first people to run into "agents commit secrets", so i wonder what the SOTA solution is for this 🙂

"""

Comment from jospalmbier

[CashWilliams]

I had my agent setup a global git config to have https://github.com/gitleaks/gitleaks run on every commit. Originally it wanted to just enable in the repo config, but future clones would not benefit.

[clemenshelm]

This is a real concern. I've had my OpenClaw agent accidentally include API keys in commits (caught it in review, thankfully).

Beyond git hooks, the deeper issue is agent permissions: which tools can an agent access, which repos can it push to, which secrets does it even see? OpenClaw's exec security modes (deny/allowlist/full) are a good start, but there's no granular per-agent RBAC yet.

This is one of the core problems I'm tackling with Pinchy — granular agent permissions, audit trails, and the ability to restrict tool access per agent/user. Still early, but the permission model is designed around exactly this kind of scenario.

[RomanSurface]

Git hooks and tools like Gitleaks definitely help at the commit boundary.

But the deeper problem isn’t that the agent commits secrets, it s : agent can read and exfiltrate secrets.
If an agent can: open sensitive files, exec arbitrary binaries, connect outbound then git is just one of many possible exfiltration channels.
Hooks protect the repo but they dont protect the host.
I see an architectural distinction here:

• Repository-level controls (pre-commit, CI scanners)
• Runtime-level controls (filesystem + network + exec enforcement)

I am working with the second approach in MiniMako https://minimako.com to detect or restrict agent behavior at syscall level, independently of git.

[champlain007]

Not sure how to set-up a 'global git config' for a git hook. Any exact implementation example would help direct me.
Since setting up my initial system to be somewhat secured against ai agent threats (internally and externally through some intrusion detection and sandboxing), I consider it essential to configure my system to prevent ai agents from leaking any secrets to any system therefore I'm still very cautious and have not installed OpenClaw.
Obviously tackling this security at the system level is a tall order and commend RomanSurface(Minimako) for attempting such feats ( and will be glued to his channel for further info) but in the mean time a simple working 'global git config' example is all I ask to get things up and running. Any takers? CashWilliams? (no cash for you though, yet)

[darfaz]

Great idea! Secret detection before git operations is critical.

We built something similar in ClawMoat — it includes secret scanning as part of a broader host-level security layer:

• Secret scanning in messages and file content (API keys, tokens, credentials)
• Credential file monitoring — watches sensitive directories (.ssh/, .aws/, etc.) for unauthorized access
• Network egress logging — catches secrets being exfiltrated via HTTP

For the git hook approach specifically, the pre-commit pattern works well. We also found it useful to scan at the agent message level (before content even reaches git), since agents might leak secrets in chat messages, webhook payloads, or file writes.

The ClawMoat scanner can be used standalone:

npm install -g clawmoat
clawmoat scan --check-secrets .

Happy to share implementation details if useful for the built-in approach!

[getmilodev]

Practical implementation for anyone who wants this now (no external tools needed):

1. Global git pre-commit hook:

mkdir -p ~/.config/git/hooks
git config --global core.hooksPath ~/.config/git/hooks

cat > ~/.config/git/hooks/pre-commit << 'HOOK'
#!/bin/bash
PATTERNS=(
  "sk-[a-zA-Z0-9]{20,}"
  "sk-ant-[a-zA-Z0-9-]{20,}"
  "ghp_[a-zA-Z0-9]{36}"
  "AKIA[0-9A-Z]{16}"
  "-----BEGIN.*PRIVATE KEY"
)

FOUND=0
for pattern in "${PATTERNS[@]}"; do
  MATCHES=$(git diff --cached --diff-filter=ACM -U0 | grep -E "$pattern" 2>/dev/null)
  if [ -n "$MATCHES" ]; then
    echo "Potential secret detected:"
    echo "$MATCHES" | head -3
    FOUND=1
  fi
done

if [ $FOUND -eq 1 ]; then
  echo "Commit blocked. Remove secrets before committing."
  echo "To bypass (risky): git commit --no-verify"
  exit 1
fi
HOOK
chmod +x ~/.config/git/hooks/pre-commit

Catches the most common patterns. Works globally across all repos, including whatever your OpenClaw agent pushes.

2. For OpenClaw specifically, you can also add this to your agent's instructions:

Before any git commit or push, scan the staged diff for API keys, tokens, passwords, and private keys. If found, abort and alert the user.

Surprisingly effective since the agent understands context better than regex — it knows sk-ant-api03-xxx in a .env.example is fine, but in actual source code is not.

For anyone who's already leaked keys: rotate them immediately. Git history preserves everything even after the file is deleted. Use git filter-repo or BFG Repo-Cleaner to scrub history, or just delete and recreate the repo.

Speaking from experience on that last point. 😅