SkillHub

prepublish-privacy-scrub

v1.0.0

Scan and remove sensitive data before publishing skills. Detect API keys, tokens, secrets, and personal info.

Sourced from ClawHub, Authored by Dalomeve

Installation

Please help me install the skill `prepublish-privacy-scrub` from SkillHub official store. npx skills add Dalomeve/prepublish-privacy-scrub

Pre-Publish Privacy Scrub

Scan for sensitive data before publishing.

Problem

Publishing accidentally exposes: - API keys and tokens - Gateway credentials - Personal paths and emails - Internal service URLs

Workflow

1. Sensitive Pattern Detection

function Test-PrivacyScan {
    param([string]$path)

    $sensitivePatterns = @(
        'apiKeys*[=:]s*["']?[A-Za-z0-9]',
        'tokens*[=:]s*["']?[A-Za-z0-9]{10,}',
        'secrets*[=:]s*["']?[A-Za-z0-9]',
        'passwords*[=:]s*["']?.+',
        'Bearers+[A-Za-z0-9-_]+.[A-Za-z0-9-_]+',
        'sk-[A-Za-z0-9]{32,}',
        'OPENCLAW_w+s*[=:]s*S+',
        'https://S+.ngrokS+',
        '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+.[a-zA-Z]{2,}'
    )

    $files = Get-ChildItem $path -Recurse -File | 
        Where-Object { $_.Extension -in @('.md', '.ps1', '.json', '.txt') }

    $findings = @()

    foreach ($file in $files) {
        $content = Get-Content $file.FullName -Raw
        foreach ($pattern in $sensitivePatterns) {
            $matches = [regex]::Matches($content, $pattern, 'IgnoreCase')
            foreach ($m in $matches) {
                $findings += @{
                    File = $file.FullName
                    Pattern = $pattern
                    Match = $m.Value.Substring(0, [Math]::Min(20, $m.Value.Length)) + "..."
                }
            }
        }
    }

    return $findings
}

2. Scrubbing

function Invoke-PrivacyScrub {
    param([string]$path)

    $replacements = @{
        'apiKeys*[=:]s*["']?[^"''s]+' = 'apiKey: "REDACTED"'
        'tokens*[=:]s*["']?[^"''s]+' = 'token: "REDACTED"'
        'secrets*[=:]s*["']?[^"''s]+' = 'secret: "REDACTED"'
    }

    $files = Get-ChildItem $path -Recurse -File

    foreach ($file in $files) {
        $content = Get-Content $file.FullName -Raw
        $modified = $false

        foreach ($kv in $replacements.GetEnumerator()) {
            if ($content -match $kv.Key) {
                $content = $content -replace $kv.Key, $kv.Value
                $modified = $true
            }
        }

        if ($modified) {
            $content | Out-File $file.FullName -Encoding UTF8
            Write-Host "Scrubbed: $($file.Name)"
        }
    }
}

3. Pre-Publish Checklist

## Privacy Scan Results

- [ ] No apiKey values in files
- [ ] No token values in files
- [ ] No secret/password in files
- [ ] No personal emails
- [ ] No absolute user paths (C:Usersname)
- [ ] No internal service URLs

**Scan Command**:
```powershell
Test-PrivacyScan -path "./skill-folder"

```

Executable Completion Criteria

Criteria Verification
Scan executed Test-PrivacyScan returns results
No critical findings apiKey/token/secret = 0 matches
Scrubbing applied Redacted values in files
Checklist complete All items checked

Privacy/Safety

  • Scan results not logged externally
  • Redacted values use generic placeholder
  • Original files backed up before scrub

Self-Use Trigger

Use when: - Before any skill publish - Before git push of skills - After copying skill from working directory

Scrub first. Publish safe.