| context | fork |
| name | docs-review-security |
| description | Scan documentation for sensitive data before publication — real IP addresses, credentials, internal hostnames, email addresses, and MAC addresses. Use this skill when asked to check for PII, security issues, customer-sensitive data, or before publishing documentation. Runs a deterministic regex scanner first, then applies agent judgment for patterns regex cannot catch. |
Security and PII review skill
Scan documentation for sensitive data that must not appear in published content:
real IP addresses, credentials, internal hostnames, customer-identifying
information, and other PII.
This skill has two layers:
- Deterministic scan — run
pii_scanner.py for regex-based detection
- Agent analysis — review for patterns regex cannot catch
Layer 1: Run the scanner
Run the PII scanner against the target files:
python3 ${CLAUDE_SKILL_DIR}/scripts/pii_scanner.py scan <file1> <file2> ...
Or for a docs directory:
python3 ${CLAUDE_SKILL_DIR}/scripts/pii_scanner.py scan --docs-dir <path> [--scan-dirs modules,topics] [--file-types .adoc,.md,.dita]
Parse the JSON output. If findings exist, include them in the report grouped
by severity (critical first, then warning).
Layer 2: Agent analysis checklist
After the scanner runs, review the content for patterns that regex cannot
reliably detect:
Customer-sensitive data in YAML/JSON examples
Internal references
Sensitive patterns in prose
LUN WWIDs (if applicable)
How to report
For each finding, report:
- File and line number
- Category (ip, email, credential, url, mac, internal_hostname, or agent-detected)
- Severity:
critical (credentials, private keys) or warning (IPs, emails, URLs)
- Suggestion: the safe replacement (RFC 5737 IP,
@example.com email, etc.)
Example invocations
- "Scan this file for PII and sensitive data"
- "Run a security review on the installation guide"
- "Check these docs for credentials and internal hostnames before we publish"