I have been developing an OpenClaw-like agent that automates exactly this type of attack.

Why? This is just regex search and there are plenty of tools that do this perfectly fine.

	▲	emotiveengine 9 hours ago \| parent \| next [-]
		Have to agree with _pdp_ on this one. I just don't see the need for an LLM agent to do a recursive grep for API keys in public repos. Not saying people shouldn't build these tools, but the use case is lost on me. It feels like the industry is in this weird phase of trying to replace 30-year-old, perfectly optimized shell utilities with multi-shot agent workflows that literally cost money to run. A basic Python script with a regex matcher and the GitHub API will find these keys faster, cheaper, and more reliably.
	▲	jgalt212 31 minutes ago \| parent \| prev \| next [-]
		because the poster works for Accenture. https://timesofindia.indiatimes.com/technology/tech-news/acc...
	▲	system2 12 hours ago \| parent \| prev [-]
		None of those proven tools would make a man feel like a wannabe Mr. Robot.

▲

hrmtst93837 6 hours ago | parent | prev [-]

Automating these sweeps works fine until you need to escalate beyond public misconfig and start hitting rate limits or WAF traps, at that point, blending in gets harder than it looks. If you focus on fast key discovery, expect a lot of false positives unless you build context awareness for the apps those keys unlock, otherwise you just end up chasing useless tokens all day.