diff --git a/devops/machine-security-review.md b/devops/machine-security-review.md
index e3128b4..3f585e0 100644
--- a/devops/machine-security-review.md
+++ b/devops/machine-security-review.md
@@ -227,10 +227,10 @@ Scan for leaked secrets. This runs during every audit and drift check.
 2. **Other config directories** — `~/.config/`, `~/.netrc`
 3. **Shell history** — `~/.bash_history`, `~/.zsh_history`
 4. **Git history** — In the OpenClaw workspace, scan commit content for leaked secrets:
-   `git log -p --all -S 'sk-ant-' -S 'AKIA' -S 'ghp_' -S 'sk-' 2>/dev/null | head -200`
-   This scans actual content across all commits — not just filenames — and catches
-   secrets added to any file (README, JSON config, etc.), not only newly-added
-   `.env`/`.key`/`.pem` files.
+   `git log -p --all -G 'sk-ant-|AKIA|ghp_|sk-' 2>/dev/null | head -200` This scans
+   actual content across all commits — not just filenames — and catches secrets added to
+   any file (README, JSON config, etc.), not only newly-added `.env`/`.key`/`.pem`
+   files.
 5. **Log files** — Check gateway logs and health check logs for accidentally logged
    credentials matching the patterns above
 6. **Process environment** — Check for secrets exposed in process env vars. Report the
diff --git a/workflows/security-sentinel/AGENT.md b/workflows/security-sentinel/AGENT.md
index 16b8e0d..c21dbc2 100644
--- a/workflows/security-sentinel/AGENT.md
+++ b/workflows/security-sentinel/AGENT.md
@@ -134,7 +134,7 @@ Severity determines notification timing:
 | -------------- | ------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | **CRITICAL**   | Active exploitation in the wild AND we are confirmed exposed                    | Immediate notification to admin with detailed findings and recommended steps. All remediation runs through machine-security-review on each machine — never apply changes remotely. |
 | **HIGH**       | Known technique, we are likely vulnerable, exploitation is feasible             | Notify admin within the hour. Detailed report with recommended actions.                                                                                                            |
-| **MEDIUM**     | Theoretical risk, partial exposure, or exploitation requires unusual conditions | Include in next daily sweep notification. Log to findings.                                                                                                                         |
+| **MEDIUM**     | Theoretical risk, partial exposure, or exploitation requires unusual conditions | Include in weekly digest. Log to findings.                                                                                                                                         |
 | **LOW / INFO** | Interesting research, we are mitigated, or not applicable                       | Log to `agent_notes.md`. Include in weekly digest.                                                                                                                                 |
 
 Use the admin notification lane. If `notification-routing.md` exists in your workflow