Discover tools that detect leaked secrets, API keys, and credentials in your codebase before they cause security incidents.
Secret Detection tools are AI-powered software designed to help developers and teams tackle secret detection-related tasks more efficiently. These tools are typically published as open-source projects on GitHub and can be integrated into existing workflows via MCP (Model Context Protocol), Claude Skills, or standalone agent frameworks. On Agent Skills Hub, we index 10 quality-scored secret detection tools across languages including TypeScript, Go, JavaScript.
In 2026, the AI agent ecosystem is maturing rapidly. Secret Detection tools can significantly boost development efficiency by automating repetitive tasks, reducing human error, and providing intelligent suggestions. The top 3 tools — onecli, agentsecrets, openclaw-shield — have earned an average of 1,191 GitHub stars, reflecting strong community validation. 8 of the listed tools come with clear open-source licenses, ensuring freedom to use and modify.
When choosing a secret detection tool, consider these factors: 1) Community activity — GitHub stars and recent commit frequency indicate reliability; 2) Integration method — check if it supports MCP, Claude, or your preferred agent framework; 3) Language compatibility — the most common language in this list is TypeScript; 4) Quality score — Agent Skills Hub's composite score evaluates code quality, documentation completeness, and maintenance activity. Our recommendation: start with onecli — it ranks highest in both star count and quality score.
Open-source credential vault, give your AI agents access to services without exposing keys.
Zero-knowledge secrets infrastructure built for AI agents to operate, not just consume.
Security plugin for OpenClaw agents - prevents secret leaks, PII exposure, and destructive command execution
The antivirus for OpenClaw — approve dangerous actions, scan skills, block secret leaks, and keep humans in control, for safety.
Superagent protects your AI applications against prompt injections, data leaks, and harmful outputs. Embed safety directly into your app and prove compliance to your customers.
CLI security scanner built for the agentic era. Detects CI/CD misconfigs, agent permission risks, MCP tool injection, hardcoded secrets, and DMCA-flagged AI dependencies.
MCPCAN is a centralized management platform for MCP services. It deploys each MCP service using a container deployment method. The platform supports container monitoring and MCP service token verification, solving security risks and enabling rapid deployment of MCP services. It uses SSE, STDIO, and STREAMABLEHTTP access protocols to deploy MCP。
LockKnife: The Ultimate Android Security Research Tool. A unified TUI workspace and headless CLI for deep Android security research, built for researchers and hackers. Powered by Python orchestration and a Rust-accelerated core, enabling AI agent–driven hacking, credential recovery/cracking, APK analysis, intelligence gathering, runtime inspection.
Lightweight, cross-platform process sandboxing powered by OpenAI Codex's runtime. Sandbox any command with file, network, and credential controls.
AI gets the context. Not your secrets. Open-source privacy proxy for LLMs.
| Tool | Stars | Language | License | Score |
|---|---|---|---|---|
| onecli | ★ 2.1k | TypeScript | Apache-2.0 | 48 |
| agentsecrets | ★ 107 | Go | MIT | 37 |
| openclaw-shield | ★ 85 | TypeScript | Apache-2.0 | 42 |
| ClawGuard | ★ 93 | TypeScript | — | 32 |
| superagent | ★ 6.5k | TypeScript | MIT | 46 |
| ship-safe | ★ 697 | JavaScript | MIT | 45 |
| mcpcan | ★ 717 | Go | — | 37 |
| LockKnife | ★ 483 | Python | GPL-3.0 | 46 |
| zerobox | ★ 512 | Rust | Apache-2.0 | 39 |
| pasteguard | ★ 546 | TypeScript | Apache-2.0 | 33 |
The top secret detection tools in 2026 are onecli, agentsecrets, openclaw-shield. Agent Skills Hub ranks 10 options by GitHub stars, quality score (6 dimensions including completeness, examples, and agent readiness), and recent activity. The list is rebuilt every 8 hours from live GitHub data.
onecli (2.1k stars) is the most adopted choice for general secret detection workflows, written in TypeScript. agentsecrets (107 stars) is a strong alternative and uses Go instead. Pick by your existing stack: match the language and runtime your team already uses to minimize integration cost. If unsure, start with onecli — it has the deepest community and the most examples online.
Avoid pre-built secret detection tools when (1) your use case requires deep customization that the tool's plugin system doesn't support, (2) you have strict compliance requirements that ban third-party dependencies, (3) the tool's maintenance is inactive (last commit >6 months ago), or (4) your data volume is small enough that a 50-line custom script is cheaper than learning the tool. For most production workflows above 100 requests/day, the time savings from a maintained tool outweigh the customization loss.
Secret Detection focuses specifically on discover tools that detect leaked secrets, api keys, and credentials in your codebase before they cause security incidents. Security Auditing is a related but distinct category — see https://agentskillshub.top/best/security-audit/ for those tools. The two often appear in the same agent pipeline but solve different problems: choose secret detection when your primary goal is the specific task, and security auditing when the workflow is broader.
For most teams, yes. onecli has 2.1k stars worth of community testing, handles edge cases you haven't thought of, and ships with documentation. Build your own only when (1) your requirements are deeply non-standard, (2) you have a security/compliance reason to avoid OSS dependencies, or (3) the maintenance burden is small enough (<200 lines of code) that you'll save time long-term. The break-even point is usually around 2-3 weeks of dev time saved.
Most secret detection tools listed are open source under permissive licenses (MIT, Apache 2.0). A handful offer paid managed/cloud versions on top of free self-hosted core. Always check the LICENSE file on each tool's GitHub repository before commercial use — some use AGPL or non-commercial restrictions that may not fit your deployment model.