organvm-iv-taxis/specstory-guard
.build/claude/skills/specstory-guard/SKILL.md
Install a pre-commit hook that scans .specstory/history for secrets before commits. Run when user says "set up secret scanning", "install specstory guard", "protect my history", or "check for secrets".
$ install --global
skillsauthnpx skillsauth add organvm-iv-taxis/a-i--skills specstory-guardInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 17, 2026, 2:27 AM23.1s1 file scanned
SKILL.md
- name:
- specstory-guard
- description:
- Install a pre-commit hook that scans .specstory/history for secrets before commits. Run when user says "set up secret scanning", "install specstory guard", "protect my history", or "check for secrets".
- license:
- Apache-2.0
- author:
- SpecStory, Inc.
- version:
- 1.0.0
- argument-hint:
- [install|scan|check|uninstall] [--root PATH]
- allowed-tools:
- Bash, Read, Write
- governance_phases:
- [build]
- organ_affinity:
- [organ-iv]
- triggers:
- [command:specstory-guard, user-asks-about-secret-scanning, context:security]
SpecStory Guard
A pre-commit guardrail that scans .specstory/history for potential secrets and blocks commits until they are removed or redacted.
How It Works
- Installs a git pre-commit hook in your repository
- Scans
.specstory/historyfiles on every commit - Detects common secret patterns (API keys, tokens, private keys)
- Blocks the commit if secrets are found
- Reports findings with redacted previews for safe review
Why Use Guard?
AI coding sessions may inadvertently capture sensitive data:
- API keys you pasted into chat
- Environment variables in command output
- Private keys or tokens in error messages
- Credentials in configuration examples
Guard prevents accidental commits of these secrets.
Usage
Slash Command
| User says | Action |
|-----------|--------|
| /specstory-guard | Install the pre-commit hook |
| /specstory-guard install | Install the pre-commit hook |
| /specstory-guard scan | Run a manual scan without installing |
| /specstory-guard check | Alias for scan |
| /specstory-guard uninstall | Remove the pre-commit hook |
Direct Script Usage
# Install the pre-commit hook
python skills/specstory-guard/scripts/guard.py install
# Run a manual scan
python skills/specstory-guard/scripts/guard.py scan --root .
# Uninstall the hook
python skills/specstory-guard/scripts/guard.py uninstall
# Scan with custom allowlist
SPECSTORY_GUARD_ALLOWLIST='example-key,PLACEHOLDER_.*' \
python skills/specstory-guard/scripts/guard.py scan --root .
Output
Scan with findings:
SpecStory Guard - Security Scan
===============================
Scanning .specstory/history/...
ALERT: Potential secrets found!
File: .specstory/history/2026-01-22_19-20-56Z-api-setup.md
Line 142: AWS_SECRET_ACCESS_KEY=AKIA...redacted...XYZ
Line 289: private_key: "-----BEGIN RSA PRIVATE KEY-----..."
File: .specstory/history/2026-01-20_10-15-33Z-debug-auth.md
Line 56: Authorization: Bearer eyJhbG...redacted...
Total: 3 potential secrets in 2 files
Commit blocked. Please redact or remove these secrets before committing.
Clean scan:
SpecStory Guard - Security Scan
===============================
Scanning .specstory/history/...
All clear! No secrets detected in 47 files.
Installation success:
SpecStory Guard - Setup
=======================
Pre-commit hook installed at .git/hooks/pre-commit
The hook will now scan .specstory/history/ before each commit.
To test: python skills/specstory-guard/scripts/guard.py scan --root .
Detected Patterns
Guard scans for these common secret patterns:
| Pattern | Example |
|---------|---------|
| AWS Keys | AKIA..., aws_secret_access_key | <!-- allow-secret -->
| API Tokens | Bearer ..., token: ... | <!-- allow-secret -->
| Private Keys | -----BEGIN RSA PRIVATE KEY----- |
| GitHub Tokens | ghp_..., github_pat_... | <!-- allow-secret -->
| Generic Secrets | password=, secret=, api_key= | <!-- allow-secret -->
Tuning with Allowlist
If you have false positives (example keys, placeholders), use the allowlist:
# Environment variable (comma-separated regex patterns)
SPECSTORY_GUARD_ALLOWLIST='example-key,PLACEHOLDER_.*,test-token' \
python skills/specstory-guard/scripts/guard.py scan --root .
Remediation
When secrets are found:
- Open the file - Find the line number from the report
- Redact the secret - Replace with
[REDACTED]or remove the line - Re-run scan - Verify the fix with another scan
- Commit - The pre-commit hook will pass
Present Results to User
After running guard commands:
- For install - Confirm the hook is installed and explain what it does
- For scan with findings - List the findings and offer to help redact them
- For clean scan - Confirm no secrets were found
Example Response (findings)
I found 3 potential secrets in your SpecStory history:
1. **AWS credentials** in `2026-01-22_19-20-56Z-api-setup.md` (line 142)
2. **Private key** in the same file (line 289)
3. **Bearer token** in `2026-01-20_10-15-33Z-debug-auth.md` (line 56)
Would you like me to help redact these? I can replace them with `[REDACTED]`
while preserving the rest of the conversation context.
Notes
- Uses no external dependencies (pure Python)
- Hook runs automatically on
git commit - Scan is fast - typically under 1 second for hundreds of files
- Allowlist patterns are regular expressions
Related Skills
organvm-iv-taxis/cv-resume-builder
development
VerifiedTrustedCommunity
Optimize resumes and CVs for impact, ATS compatibility, and audience targeting. Supports multiple formats (chronological, functional, hybrid), accomplishment framing (STAR/XYZ), and tailoring for specific roles. Triggers on resume review, CV update, job application prep, or career document requests.
7SKILL.mdUpdated May 31, 2026
organvm-iv-taxis/cross-agent-handoff
testing
VerifiedTrustedCommunity
Transfer context between AI agent sessions with structured handoff protocols, state serialization, and decision log preservation. Covers multi-agent coordination, context compression, and continuity patterns. Triggers on agent handoff, session transfer, or multi-agent continuity requests.
7SKILL.mdUpdated May 31, 2026
organvm-iv-taxis/creative-writing-craft
tools
VerifiedTrustedCommunity
Craft compelling fiction and creative nonfiction with attention to structure, voice, prose style, and revision. Supports short stories, novel chapters, essays, and hybrid forms. Triggers on creative writing, fiction writing, story craft, prose style, or literary technique requests.
7SKILL.mdUpdated May 31, 2026
organvm-iv-taxis/conversation-content-pipeline
devops
VerifiedTrustedCommunity
Transform AI conversations and chat transcripts into publishable content including blog posts, documentation, tutorials, and knowledge base entries. Covers extraction, restructuring, and editorial refinement. Triggers on conversation-to-content, transcript processing, or chat-to-doc requests.
7SKILL.mdUpdated May 31, 2026