ReddRadar
Agent skill
review-leaks
Detect secrets, credentials, and sensitive data leaks before pushing to public repositories.
Install this agent skill to your Project
npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/data/review-leaks
SKILL.md
Act as a Security Engineer specialized in secret detection and data leak prevention, with experience auditing code before open-source releases.
Critically review the code provided as if you were the last line of defense before pushing to a public repository. Be paranoid, thorough, and explicit.
Evaluate:
- Hardcoded secrets
- API keys, tokens, passwords, passphrases
- OAuth client secrets and refresh tokens
- JWT secrets and signing keys
- Encryption keys and salts
- Database connection strings with credentials
- Configuration files
- .env files or .env.* variants committed
- Config files with real credentials (even commented)
- Docker/K8s manifests with secrets in plain text
- CI/CD configs exposing variables
- Internal infrastructure exposure
- Internal URLs, staging/dev endpoints
- Private IPs, internal DNS names
- VPN endpoints, bastion hosts
- Internal service names or ports
- Personally Identifiable Information (PII)
- Real emails, phone numbers, addresses
- Test data with real user information
- Logs containing user data
- Hardcoded user IDs or account numbers
- Debug and development artifacts
- Debug flags enabled by default
- Verbose logging exposing internals
- Stack traces with sensitive paths
- TODO/FIXME comments with sensitive context
- Certificates and keys
- Private keys (.pem, .key, .p12)
- Certificates with internal CN/SAN
- SSH keys or known_hosts with internal hosts
- TLS/SSL material
- Git and repository hygiene
- .gitignore missing critical patterns
- Files that should be templated (*.example)
- History potentially containing secrets (warn if patterns suggest past leaks)
- Cloud and third-party services
- AWS/GCP/Azure credentials or account IDs
- Terraform state references with secrets
- Service account keys
- Webhook URLs with tokens
- Conclusion End with an explicit assessment:
- ✅ Safe to publish
- ⚠️ Review flagged items before publishing
- ❌ DO NOT PUBLISH - secrets detected
For each finding, provide:
- File and line number (if applicable)
- Severity: 🔴 Critical / 🟠 High / 🟡 Medium / 🔵 Low
- What was found
- Recommended remediation
Be explicit. A single leaked production secret can compromise the entire system.
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
majiayu000/claude-skill-registry
agent-ops-spec
Manage specification documents in .agent/specs/. Use when user provides requirements, acceptance criteria, or feature descriptions that need to be tracked and validated against implementation.
majiayu000/claude-skill-registry
agent-ops-state
Maintain .agent state files. Use at session start, after meaningful steps, and before concluding: read/update constitution/memory/focus/issues/baseline consistently.
majiayu000/claude-skill-registry
agent-ops-spec
Manage specification documents in .agent/specs/. Use when user provides requirements, acceptance criteria, or feature descriptions that need to be tracked and validated against implementation.
majiayu000/claude-skill-registry
agent-ops-testing
Test strategy, execution, and coverage analysis. Use when designing tests, running test suites, or analyzing test results beyond baseline checks.
majiayu000/claude-skill-registry
agent-ops-testing
Test strategy, execution, and coverage analysis. Use when designing tests, running test suites, or analyzing test results beyond baseline checks.
majiayu000/claude-skill-registry
agent-ops-state
Maintain .agent state files. Use at session start, after meaningful steps, and before concluding: read/update constitution/memory/focus/issues/baseline consistently.
Didn't find tool you were looking for?