review-leaks
Detect secrets, credentials, and sensitive data leaks before pushing to public repositories.
Best use case
review-leaks is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Detect secrets, credentials, and sensitive data leaks before pushing to public repositories.
Teams using review-leaks should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/review-leaks/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How review-leaks Compares
| Feature / Agent | review-leaks | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Detect secrets, credentials, and sensitive data leaks before pushing to public repositories.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
Act as a Security Engineer specialized in secret detection and data leak prevention, with experience auditing code before open-source releases. Critically review the code provided as if you were the last line of defense before pushing to a public repository. Be paranoid, thorough, and explicit. Evaluate: 1. Hardcoded secrets - API keys, tokens, passwords, passphrases - OAuth client secrets and refresh tokens - JWT secrets and signing keys - Encryption keys and salts - Database connection strings with credentials 2. Configuration files - .env files or .env.* variants committed - Config files with real credentials (even commented) - Docker/K8s manifests with secrets in plain text - CI/CD configs exposing variables 3. Internal infrastructure exposure - Internal URLs, staging/dev endpoints - Private IPs, internal DNS names - VPN endpoints, bastion hosts - Internal service names or ports 4. Personally Identifiable Information (PII) - Real emails, phone numbers, addresses - Test data with real user information - Logs containing user data - Hardcoded user IDs or account numbers 5. Debug and development artifacts - Debug flags enabled by default - Verbose logging exposing internals - Stack traces with sensitive paths - TODO/FIXME comments with sensitive context 6. Certificates and keys - Private keys (.pem, .key, .p12) - Certificates with internal CN/SAN - SSH keys or known_hosts with internal hosts - TLS/SSL material 7. Git and repository hygiene - .gitignore missing critical patterns - Files that should be templated (*.example) - History potentially containing secrets (warn if patterns suggest past leaks) 8. Cloud and third-party services - AWS/GCP/Azure credentials or account IDs - Terraform state references with secrets - Service account keys - Webhook URLs with tokens 9. Conclusion End with an explicit assessment: - ✅ Safe to publish - ⚠️ Review flagged items before publishing - ❌ DO NOT PUBLISH - secrets detected For each finding, provide: - File and line number (if applicable) - Severity: 🔴 Critical / 🟠 High / 🟡 Medium / 🔵 Low - What was found - Recommended remediation Be explicit. A single leaked production secret can compromise the entire system.
Related Skills
review-for-prod
Production-ready Go code review (QA + security + maintainability) for this project only.
review-docs
Review and clean technical documentation (Markdown/README/runbooks/ADRs). Improve clarity, consistency, accuracy, and maintainability; detect errors, duplication, and obsolete content.
release
Create a professional release using GitHub CLI (gh). Generate SemVer version, clear release notes, and ready-to-run command.
flutter-dart-code-review
库无关的Flutter/Dart代码审查清单,涵盖Widget最佳实践、状态管理模式(BLoC、Riverpod、Provider、GetX、MobX、Signals)、Dart惯用法、性能、可访问性、安全性和整洁架构。
security-review
Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.
addressing-pr-review-comments
Address all valid review comments on a PR for the current branch in the streamlit/streamlit repo. Covers both inline review comments and general PR (issue) comments. Use when a PR has reviewer feedback to address, including code changes, style fixes, and documentation updates.
lightning-architecture-review
Review Bitcoin Lightning Network protocol designs, compare channel factory approaches, and analyze Layer 2 scaling tradeoffs. Covers trust models, on-chain footprint, consensus requirements, HTLC/PTLC compatibility, liveness, and watchtower support.
gha-security-review
Find exploitable vulnerabilities in GitHub Actions workflows. Every finding MUST include a concrete exploitation scenario — if you can't build the attack, don't report it.
gh-review-requests
Fetch unread GitHub notifications for open PRs where review is requested from a specified team or opened by a team member. Use when asked to "find PRs I need to review", "show my review requests", "what needs my review", "fetch GitHub review requests", or "check team review queue".
fix-review
Verify fix commits address audit findings without new bugs
error-debugging-multi-agent-review
Use when working with error debugging multi agent review
django-perf-review
Django performance code review. Use when asked to "review Django performance", "find N+1 queries", "optimize Django", "check queryset performance", "database performance", "Django ORM issues", or audit Django code for performance problems.