emliunix/privacy-review
skills/privacy-review/SKILL.md
Automated privacy review for git repositories. Scans for sensitive data exposure including API keys, passwords, database credentials, and tokens. Use before pushing to public repositories or sharing code. Trigger by running 'python privacy_scan.py' on a git repository.
development
Updated Apr 4, 2026
$ install --global
skillsauthnpx skillsauth add emliunix/home.conf privacy-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 4, 2026, 6:28 PM4.7s3 files scanned
SKILL.md
- name:
- privacy-review
- description:
- Automated privacy review for git repositories. Scans for sensitive data exposure including API keys, passwords, database credentials, and tokens. Use before pushing to public repositories or sharing code. Trigger by running 'python privacy_scan.py' on a git repository.
Privacy Review
Overview
Automated privacy security review for git repositories. Detects sensitive data exposure in committed files and repository configuration.
When to use:
- Before pushing code to public repositories (GitHub, GitLab)
- When sharing code with external parties
- Before opening pull requests
- Periodic security audits
Checks Performed
1. Sensitive Files in Commits
Scans git history for committed files with sensitive extensions:
.env,.env.local- Environment configuration.pem,.p12- Private keys and certificates*_secrets.*- Secret configuration*_credentials.*- API credentials
2. Secrets in Committed Code
Pattern-based scanning for sensitive patterns in source files:
- Database URLs with credentials (
postgresql://user:pass@host) - API keys (
sk-,AKIA,Bearer) - Secret tokens and assignments
- Authorization headers
3. .gitignore Protection
Verifies that .env and other sensitive files are properly ignored.
4. Local .env File
Checks if local .env exists with real credentials (not committed).
Quick Start
# Scan current directory
python privacy_scan.py
# Scan specific repository
python privacy_scan.py --repo-path /path/to/repo
# Quiet mode (show only issues)
python privacy_scan.py --quiet
Report Format
The tool generates a structured report with:
======================================================================
PRIVACY REVIEW REPORT
======================================================================
📁 CHECK 1: Sensitive Files in Git
----------------------------------------------------------------------
✅ No sensitive files committed
🔍 CHECK 2: Secrets in Committed Code
----------------------------------------------------------------------
❌ FOUND potential secrets:
- API key assignment: OPENAI_API_KEY="sk-abc123xyz..." (line 42)
🛡️ CHECK 3: .gitignore Protection
----------------------------------------------------------------------
✅ .env is protected by .gitignore
📄 CHECK 4: Local .env File
----------------------------------------------------------------------
⚠️ WARNING: .env exists with real credentials
Status: .env file exists locally but is NOT committed
======================================================================
SUMMARY
======================================================================
❌ Found 2 privacy concern(s)
Recommendations:
- Replace secrets with environment variable references
- Rotate any exposed credentials
- Ensure .env remains in .gitignore
======================================================================
Remediation Guide
Removing Secrets from History
If secrets are found in committed files:
# Remove specific file from all branches
git filter-branch --force --index-filter \
'git rm --cached --ignore-unmatch file-with-secrets.py' HEAD
# Push cleaned history (requires force)
git push origin --force
Replacing Secrets with Environment Variables
Before:
DATABASE_URL="postgresql://user:password@host:5432/db"
API_KEY="sk-abc123xyz..."
After:
import os
DATABASE_URL = os.getenv("DATABASE_URL")
API_KEY = os.getenv("API_KEY")
Create .env.example:
DATABASE_URL=postgresql://user:password@localhost:5432/db
API_KEY=your-api-key-here
Common Mistakes
❌ Don't Commit
.envfiles with real credentials- API keys in configuration files
- Database URLs with passwords
- Private keys (
.pem,.key) - Hardcoded secrets in code
✅ Do Instead
- Use
os.getenv()for configuration - Commit
.env.examplewith placeholders - Reference secrets from environment
- Use secret management services
- Document required variables in README
Patterns Detected
See PATTERNS.md for complete list of sensitive patterns:
- Database URLs with credentials
- API keys (OpenAI, AWS, etc.)
- Authentication tokens
- Configuration files with extensions
Best Practices
Code Level
- All secrets use environment variables
- Validation at startup (fail if secrets missing)
- No secrets in logs or print statements
Repository Level
.envalways in.gitignore- Enable secret scanning in CI/CD
- Require review for sensitive changes
- Audit git history periodically
Workflow Level
- Automate pre-commit hooks for secret detection
- Fail builds on secret detection
- Rotate credentials regularly
- Use short-lived tokens when possible
Troubleshooting
False Positives
The tool may flag:
- Example values in
.env.example(safe) - Test URLs with
localhostor127.0.0.1(usually safe) - Documentation mentioning patterns (not actual secrets)
Review these manually before taking action.
Files Not Scanned
Binary files and large assets are skipped:
- Images (
.png,.jpg,.gif) - PDFs
- Zip files
- Already committed files (use
git filter-branchfor historical scans)
Advanced Usage
CI/CD Integration
Add to GitHub Actions:
- name: Privacy Scan
run: |
python -m privacy_scan.scripts.privacy_scan --quiet
Custom Patterns
Extend privacy_scan.py with additional patterns:
# Add to patterns list in check_sensitive_patterns_in_content()
(r"custom_pattern", "Custom sensitive data"),
Ignore Specific Patterns
For files with known safe patterns (like test data):
# Modify scan_commit_for_secrets() to skip files
if "test_" in file_path.lower():
continue
Related Skills
emliunix/topic-thinking
development
VerifiedTrustedCommunity
Manages thinking patterns and mental models when switching between different topics or modes. Use when (1) switching from analysis to design, (2) switching from exploration to validation, (3) switching from reading to writing, (4) any topic transition where thinking approach must change, (5) user signals "we're going to sketch/design/build" after analysis phase.
SKILL.mdUpdated May 28, 2026
emliunix/exploration
development
VerifiedTrustedCommunity
Systematic codebase investigation producing structured exploration files (Notes → Facts → Claims). Use when researching unknown systems, tracing code paths, or documenting architecture.
SKILL.mdUpdated May 28, 2026
emliunix/coop-design
testing
VerifiedTrustedCommunity
Collaborative design workflow for architecture and system design. Use when the user wants to design or redesign a system, component, or feature. Triggers on phrases like "design", "architecture", "how should we", "what's the best way to", or when the user asks for tradeoff analysis. This skill is for exploration and decision-making, not implementation.
SKILL.mdUpdated May 28, 2026
emliunix/change-plan
development
VerifiedTrustedCommunity
Change plan workflow for non-trivial code changes. Create, review, and track changes before implementation.
SKILL.mdUpdated May 28, 2026