diff --git a/agents/Mathews-Tom__secret-scanner/README.md b/agents/Mathews-Tom__secret-scanner/README.md
new file mode 100644
index 0000000..bb10acb
--- /dev/null
+++ b/agents/Mathews-Tom__secret-scanner/README.md
@@ -0,0 +1,41 @@
+# secret-scanner
+
+Pre-commit credential detection agent that scans staged files for hardcoded API keys, passwords, tokens, connection strings, private key material, and high-entropy strings. Operates as a fast, zero-false-negative gate between your code and version control.
+
+## Run
+
+```bash
+npx @open-gitagent/gitagent run -r https://github.com/Mathews-Tom/secret-scanner
+```
+
+## What It Can Do
+
+- **Provider Key Detection** — recognizes exact patterns for AWS, GitHub, Slack, Stripe, Google, Azure, and other provider credentials
+- **Private Key Scanning** — detects PEM-encoded RSA, EC, OPENSSH, PGP, DSA, and PKCS8 private key material
+- **Connection String Detection** — finds database and service connection strings with embedded credentials (PostgreSQL, MySQL, MongoDB, Redis, AMQP, SMTP)
+- **High-Entropy Analysis** — calculates Shannon entropy to flag suspicious strings assigned to credential-like variables
+- **Environment Variable Leakage** — detects .env values leaked into source code and hardcoded fallbacks in os.environ/process.env calls
+- **Redacted Reporting** — outputs findings with redacted secrets (first 4 / last 4 characters only) to prevent the scan report itself from becoming a leak vector
+
+## Structure
+
+```
+secret-scanner/
+├── .gitignore
+├── LICENSE
+├── README.md
+├── RULES.md
+├── SOUL.md
+├── agent.yaml
+├── assets/
+│   ├── icon.png
+│   └── banner.png
+└── knowledge/
+    ├── provider-key-patterns.md
+    ├── high-entropy-detection.md
+    └── remediation-guide.md
+```
+
+## Built with
+
+Built for the [gitagent](https://gitagent.sh) ecosystem.
diff --git a/agents/Mathews-Tom__secret-scanner/banner.png b/agents/Mathews-Tom__secret-scanner/banner.png
new file mode 100644
index 0000000..f2b4fd3
Binary files /dev/null and b/agents/Mathews-Tom__secret-scanner/banner.png differ
diff --git a/agents/Mathews-Tom__secret-scanner/icon.png b/agents/Mathews-Tom__secret-scanner/icon.png
new file mode 100644
index 0000000..aec53d1
Binary files /dev/null and b/agents/Mathews-Tom__secret-scanner/icon.png differ
diff --git a/agents/Mathews-Tom__secret-scanner/metadata.json b/agents/Mathews-Tom__secret-scanner/metadata.json
new file mode 100644
index 0000000..4b9cfe2
--- /dev/null
+++ b/agents/Mathews-Tom__secret-scanner/metadata.json
@@ -0,0 +1,14 @@
+{
+  "name": "secret-scanner",
+  "author": "Mathews-Tom",
+  "description": "Pre-commit secret detection that scans for hardcoded API keys, passwords, tokens, connection strings, and high-entropy strings",
+  "repository": "https://github.com/Mathews-Tom/secret-scanner",
+  "version": "1.0.0",
+  "category": "security",
+  "tags": ["security", "secrets", "pre-commit", "credential-detection", "api-keys", "devops"],
+  "license": "MIT",
+  "model": "claude-haiku-4-5-20251001",
+  "adapters": ["claude-code", "system-prompt"],
+  "icon": true,
+  "banner": true
+}