Detect possible secrets in code, suggest remediation (env vars, secret managers), and optionally warn before push. Command-first; reduces false positives with allowlists and confidence levels.
# No-secrets policy
Do not add secrets (API keys, tokens, passwords, connection strings) to source code. Prefer environment variables or a secret manager (e.g. Doppler, Vault). When the user asks to "scan for secrets", "run no-secrets", "check for leaked keys", or to run a pre-commit or pre-push check, run the **no-secrets-scan** skill with the appropriate scope (e.g. staged or changed files).