check-sensitive-data
Analyzes PHP code for sensitive data exposure. Detects plaintext secrets, exposed credentials, PII in logs, insecure storage, hardcoded keys.
Best use case
check-sensitive-data is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Analyzes PHP code for sensitive data exposure. Detects plaintext secrets, exposed credentials, PII in logs, insecure storage, hardcoded keys.
Teams using check-sensitive-data should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/check-sensitive-data/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How check-sensitive-data Compares
| Feature / Agent | check-sensitive-data | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Analyzes PHP code for sensitive data exposure. Detects plaintext secrets, exposed credentials, PII in logs, insecure storage, hardcoded keys.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Sensitive Data Security Check
Analyze PHP code for sensitive data exposure vulnerabilities.
## Detection Patterns
### 1. Hardcoded Credentials
```php
// CRITICAL: Hardcoded password
$pdo = new PDO($dsn, 'admin', 'SuperSecret123!');
// CRITICAL: API key in code
$apiKey = 'sk_live_abc123xyz789';
$stripe = new StripeClient($apiKey);
// CRITICAL: Hardcoded secret
define('JWT_SECRET', 'my-secret-key-123');
const ENCRYPTION_KEY = 'aes256-encryption-key';
```
### 2. Credentials in Version Control
```php
// CRITICAL: .env file committed
// Check .gitignore for:
// .env
// *.pem
// *.key
// config/secrets.php
// CRITICAL: Config with real credentials
// config/database.php
return [
'password' => 'production_password_here',
];
```
### 3. PII in Logs
```php
// CRITICAL: Password in logs
$this->logger->info('Login', ['password' => $password]);
// CRITICAL: Credit card in logs
$this->logger->debug('Payment', ['card' => $cardNumber]);
// VULNERABLE: Full user object logged
$this->logger->info('User created', ['user' => $user]);
// VULNERABLE: Exception with sensitive data
throw new Exception("Login failed for password: $password");
```
### 4. Sensitive Data in URLs
```php
// CRITICAL: Password in URL
$url = "/reset?token=$token&email=$email&password=$password";
// CRITICAL: API key in URL
$url = "https://api.example.com?key=$apiKey";
// VULNERABLE: Session in URL
session_start();
header("Location: /dashboard?" . SID);
```
### 5. Insecure Data Storage
```php
// CRITICAL: Plain text password storage
$user->password = $request->get('password');
$em->persist($user);
// CRITICAL: Storing credit card in plain text
$order->setCreditCard($cardNumber);
// CRITICAL: Symmetric encryption with weak key
$encrypted = openssl_encrypt($ssn, 'aes-256-cbc', 'password');
```
### 6. Response Data Exposure
```php
// CRITICAL: Password in API response
return new JsonResponse([
'user' => $user->toArray(), // May include password hash
]);
// CRITICAL: Internal data exposed
return new JsonResponse([
'error' => $exception->getMessage(),
'trace' => $exception->getTraceAsString(),
'query' => $lastQuery,
]);
```
### 7. Debug Information Exposure
```php
// CRITICAL: Debug mode in production
ini_set('display_errors', 1);
error_reporting(E_ALL);
// CRITICAL: phpinfo exposed
phpinfo();
// CRITICAL: var_dump in production
var_dump($user);
print_r($config);
```
### 8. Sensitive Comments
```php
// CRITICAL: Credentials in comments
// TODO: Remove before production
// Username: admin
// Password: admin123
// CRITICAL: API keys in comments
// Old API key: sk_test_abc123
```
### 9. Backup/Temporary Files
```php
// Check for presence of:
// .sql files (database dumps)
// .bak files (backups)
// .old files
// .swp files (vim swap)
// .DS_Store
// Thumbs.db
```
### 10. Error Messages Revealing Data
```php
// CRITICAL: SQL error exposure
try {
$pdo->query($sql);
} catch (PDOException $e) {
echo $e->getMessage(); // Reveals table/column names
}
// CRITICAL: File path exposure
if (!file_exists($path)) {
throw new Exception("File not found: $path");
}
```
## Grep Patterns
```bash
# Hardcoded passwords
Grep: "password\s*[=:]\s*['\"][^'\"]{4,}['\"]" -i --glob "**/*.php"
# API keys
Grep: "(api[_-]?key|apikey|secret[_-]?key)\s*[=:]\s*['\"]" -i --glob "**/*.php"
# AWS credentials
Grep: "AKIA[0-9A-Z]{16}" --glob "**/*.php"
# Private keys
Grep: "-----BEGIN (RSA |PRIVATE |EC )" --glob "**/*"
# Logging sensitive fields
Grep: "->log.*password|->info.*password|->debug.*token" -i --glob "**/*.php"
```
## Sensitive Data Types
| Type | Examples | Risk |
|------|----------|------|
| Authentication | Passwords, tokens, API keys | Account takeover |
| Financial | Credit cards, bank accounts | Financial fraud |
| PII | SSN, passport, ID numbers | Identity theft |
| Health | Medical records, diagnoses | Privacy violation |
| Location | Home address, GPS coords | Physical safety |
## Severity Classification
| Pattern | Severity |
|---------|----------|
| Hardcoded production credentials | 🔴 Critical |
| Password in logs | 🔴 Critical |
| API keys in code | 🔴 Critical |
| PII in error messages | 🟠 Major |
| Debug info in production | 🟠 Major |
| Sensitive comments | 🟡 Minor |
## Best Practices
### Use Environment Variables
```php
$apiKey = getenv('STRIPE_API_KEY');
$dbPassword = $_ENV['DB_PASSWORD'];
```
### Secure Logging
```php
$this->logger->info('Login attempt', [
'user_id' => $user->getId(),
// Never log: password, token, credit card, SSN
]);
```
### Data Masking
```php
function maskEmail(string $email): string
{
$parts = explode('@', $email);
return substr($parts[0], 0, 2) . '***@' . $parts[1];
}
function maskCard(string $card): string
{
return '****-****-****-' . substr($card, -4);
}
```
### Secure Error Handling
```php
try {
$this->process();
} catch (Exception $e) {
$this->logger->error('Processing failed', ['exception' => $e]);
throw new PublicException('An error occurred. Please try again.');
}
```
## Output Format
```markdown
### Sensitive Data Exposure: [Description]
**Severity:** 🔴/🟠/🟡
**Location:** `file.php:line`
**CWE:** CWE-200 (Exposure of Sensitive Information)
**Issue:**
[Description of the data exposure]
**Data Type:** [Password|API Key|PII|...]
**Code:**
```php
// Vulnerable code
```
**Fix:**
```php
// Secure handling
```
```Related Skills
trace-data-transformation
Maps data transformation chains — Request DTO to Command to Entity to Response DTO. Identifies mappers, serializers, type conversions, and data loss points across layer boundaries.
create-health-check
Generates Health Check pattern for PHP 8.4. Creates application-level health endpoints with component checkers (Database, Redis, RabbitMQ), status aggregation, and RFC-compliant JSON response. Includes unit tests.
create-docker-healthcheck
Generates Docker health check scripts for PHP services. Creates PHP-FPM, Nginx, and custom endpoint health checks.
check-xxe
Analyzes PHP code for XML External Entity vulnerabilities. Detects unsafe XML parsers, missing entity protection, LIBXML flags issues, XSLT attacks.
check-version-consistency
Audits version consistency across project files. Checks composer.json, README, CHANGELOG, docs, and configuration files for version number synchronization.
check-type-juggling
Detects PHP type juggling vulnerabilities. Identifies loose comparison with user input, in_array without strict mode, switch statement type coercion, and hash comparison bypasses.
check-timeout-strategy
Audits timeout configuration across HTTP clients, database connections, queue consumers, cache operations, and external service calls. Detects missing or misconfigured timeouts.
check-test-quality
Analyzes PHP test code quality. Checks test structure, assertion quality, test isolation, naming conventions, AAA pattern adherence.
check-ssrf
Analyzes PHP code for SSRF vulnerabilities. Detects unvalidated URLs, internal network access, DNS rebinding, cloud metadata access, URL parsing bypass attempts.
check-sql-injection
Analyzes PHP code for SQL injection vulnerabilities. Detects query concatenation, ORM misuse, raw queries, dynamic identifiers, prepared statement bypasses.
check-serialization
Analyzes PHP code for serialization overhead. Detects inefficient JSON encoding, large object hydration, missing JsonSerializable, circular reference issues.
check-secure-headers
Audits HTTP security headers configuration. Checks CSP, X-Frame-Options, HSTS, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and cache control headers.