← Back to Skills Marketplace
430
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install prepublish-privacy-scrub
Description
Scan and remove sensitive data before publishing skills. Detect API keys, tokens, secrets, and personal info.
Usage Guidance
Do not run this scrubbing code on your primary working directory yet. Main issues to address before using: (1) Implement reliable backups (e.g., copy files to a timestamped backup folder or use git to create a branch) — the current Invoke-PrivacyScrub overwrites files without backups despite claiming otherwise. (2) Make scrubbing coverage consistent with detection: add replacers for bearer tokens, sk- keys, OPENCLAW_* matches, and other patterns you detect (or ensure the scan only reports and requires manual removal). (3) Limit the set of files you modify to text files (avoid altering binaries) and ensure the scan and scrub operate on the same file-extension whitelist. (4) Add a dry-run mode that reports matches without changing files, and produce a summarized report rather than only in-place edits. (5) Declare platform requirements (PowerShell) so users on Linux/macOS know how to run it. (6) Test on a copy or in a disposable environment (and/or on a git branch) to avoid irreversible changes. After those changes the skill would be much safer; as written, it is coherent with its purpose but contains risky gaps and mismatches that make it unsafe to run directly.
Capability Analysis
Type: OpenClaw Skill
Name: prepublish-privacy-scrub
Version: 1.0.0
The skill is classified as suspicious due to critical vulnerabilities in its implementation. The `Invoke-PrivacyScrub` function in `SKILL.md` directly overwrites files without creating a backup, contradicting the explicit 'Original files backed up before scrub' claim in the 'Privacy/Safety' section. This poses a significant risk of irreversible data loss. Additionally, the scrubbing function applies to all file types, not just text-based ones, increasing the potential for file corruption. While the stated purpose is benign and there is no evidence of intentional malicious behavior like data exfiltration or unauthorized execution, these severe flaws make the skill dangerous to use.
Capability Assessment
Purpose & Capability
Name/description align with the instructions: the SKILL.md contains scanning and scrubbing routines intended to detect and redact keys, tokens, emails, and internal URLs. No unrelated credentials, binaries, or install steps are requested.
Instruction Scope
The instructions read and overwrite files recursively in a working tree and would modify content in place, but they claim 'original files backed up before scrub' while the Invoke-PrivacyScrub implementation does not create backups. Detection patterns include bearer tokens, sk- keys, and OPENCLAW_* patterns, yet the scrubbing replacement table only covers a few simple name=value cases (apiKey, token, secret). Test-PrivacyScan only searches files with selected extensions (.md, .ps1, .json, .txt) while scrubbing operates on all files, introducing a risk of modifying unintended files (binary files, other extensions) and missing detections in un-scanned extensions. The functions are PowerShell-specific but the skill metadata does not state a platform requirement, which may lead to failures or unexpected behavior on non-Windows systems.
Install Mechanism
Instruction-only skill with no install steps or downloaded artifacts — low installation risk. No archives or external downloads.
Credentials
No environment variables, credentials, or config paths are requested. The detection patterns reference OPENCLAW_* and other token forms only for identification; no secret access is requested.
Persistence & Privilege
always is false and the skill does not request persistent system presence or modify other skills. It does perform potentially destructive local file writes, but does not attempt to change system-wide configuration or store long-lived credentials.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install prepublish-privacy-scrub - After installation, invoke the skill by name or use
/prepublish-privacy-scrub - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of prepublish-privacy-scrub.
- Scans project files for sensitive data patterns: API keys, tokens, secrets, emails, personal paths, and internal URLs.
- Provides PowerShell functions for automated detection (Test-PrivacyScan) and redaction (Invoke-PrivacyScrub) of sensitive data.
- Includes a pre-publish privacy checklist to ensure files are clean before publishing.
- Privacy/safety practices: local-only scanning, use of placeholders, and file backup before scrubbing.
- Offers clear usage triggers and executable verification criteria for safe publishing.
Metadata
Frequently Asked Questions
What is Prepublish Privacy Scrub?
Scan and remove sensitive data before publishing skills. Detect API keys, tokens, secrets, and personal info. It is an AI Agent Skill for Claude Code / OpenClaw, with 430 downloads so far.
How do I install Prepublish Privacy Scrub?
Run "/install prepublish-privacy-scrub" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Prepublish Privacy Scrub free?
Yes, Prepublish Privacy Scrub is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Prepublish Privacy Scrub support?
Prepublish Privacy Scrub is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Prepublish Privacy Scrub?
It is built and maintained by Dalomeve (@dalomeve); the current version is v1.0.0.
More Skills