메뉴
Install a pre-commit hook that scans .specstory/history for secrets before commits. Run when user says "set up secret scanning", "install specstory guard", "protect my history", or "check for secrets".
| name | specstory-guard |
| description | Install a pre-commit hook that scans .specstory/history for secrets before commits. Run when user says "set up secret scanning", "install specstory guard", "protect my history", or "check for secrets". |
| license | Apache-2.0 |
| metadata | {"author":"SpecStory, Inc.","version":"1.0.0","argument-hint":"[install|scan|check|uninstall] [--root PATH]"} |
| allowed-tools | Bash, Read, Write |
A pre-commit guardrail that scans .specstory/history for potential secrets and blocks commits until they are removed or redacted.
.specstory/history files on every commitAI coding sessions may inadvertently capture sensitive data:
Guard prevents accidental commits of these secrets.
| User says | Action |
|---|---|
/specstory-guard | Install the pre-commit hook |
/specstory-guard install | Install the pre-commit hook |
/specstory-guard scan | Run a manual scan without installing |
/specstory-guard check | Alias for scan |
/specstory-guard uninstall | Remove the pre-commit hook |
# Install the pre-commit hook
python skills/specstory-guard/scripts/guard.py install
# Run a manual scan
python skills/specstory-guard/scripts/guard.py scan --root .
# Uninstall the hook
python skills/specstory-guard/scripts/guard.py uninstall
# Scan with custom allowlist
SPECSTORY_GUARD_ALLOWLIST='example-key,PLACEHOLDER_.*' \
python skills/specstory-guard/scripts/guard.py scan --root .
SpecStory Guard - Security Scan
===============================
Scanning .specstory/history/...
ALERT: Potential secrets found!
File: .specstory/history/2026-01-22_19-20-56Z-api-setup.md
Line 142: AWS_SECRET_ACCESS_KEY=AKIA...redacted...XYZ
Line 289: private_key: "-----BEGIN RSA PRIVATE KEY-----..."
File: .specstory/history/2026-01-20_10-15-33Z-debug-auth.md
Line 56: Authorization: Bearer eyJhbG...redacted...
Total: 3 potential secrets in 2 files
Commit blocked. Please redact or remove these secrets before committing.
SpecStory Guard - Security Scan
===============================
Scanning .specstory/history/...
All clear! No secrets detected in 47 files.
SpecStory Guard - Setup
=======================
Pre-commit hook installed at .git/hooks/pre-commit
The hook will now scan .specstory/history/ before each commit.
To test: python skills/specstory-guard/scripts/guard.py scan --root .
Guard scans for these common secret patterns:
| Pattern | Example |
|---|---|
| AWS Keys | AKIA..., aws_secret_access_key |
| API Tokens | Bearer ..., token: ... |
| Private Keys | -----BEGIN RSA PRIVATE KEY----- |
| GitHub Tokens | ghp_..., github_pat_... |
| Generic Secrets | password=, secret=, api_key= |
If you have false positives (example keys, placeholders), use the allowlist:
# Environment variable (comma-separated regex patterns)
SPECSTORY_GUARD_ALLOWLIST='example-key,PLACEHOLDER_.*,test-token' \
python skills/specstory-guard/scripts/guard.py scan --root .
When secrets are found:
[REDACTED] or remove the lineAfter running guard commands:
I found 3 potential secrets in your SpecStory history:
1. **AWS credentials** in `2026-01-22_19-20-56Z-api-setup.md` (line 142)
2. **Private key** in the same file (line 289)
3. **Bearer token** in `2026-01-20_10-15-33Z-debug-auth.md` (line 56)
Would you like me to help redact these? I can replace them with `[REDACTED]`
while preserving the rest of the conversation context.
git commitAnalyzes, generates, and enhances CLAUDE.md files for any project type using best practices, modular architecture support, and tech stack customization. Use when setting up new projects, improving existing CLAUDE.md files, or establishing AI-assisted development standards.
Create, review, and iterate on Claude Code skills using Anthropic's official best practices and latest API documentation. Use when creating skills, reviewing existing skills, writing skill descriptions, designing skill architecture, or when user says "create a skill", "review my skill", "skill best practices", "skill description help". Do NOT use for creating plugins, commands, agents, or hooks - use plugin-dev skills for those.
Browser automation CLI for AI agents. Use when the user needs to interact with websites, including navigating pages, filling forms, clicking buttons, taking screenshots, extracting data, testing web apps, or automating any browser task. Triggers include requests to "open a website", "fill out a form", "click a button", "take a screenshot", "scrape data from a page", "test this web app", "login to a site", "automate browser actions", or any task requiring programmatic web interaction. Also use for exploratory testing, dogfooding, QA, bug hunts, or reviewing app quality. Also use for automating Electron desktop apps (VS Code, Slack, Discord, Figma, Notion, Spotify), checking Slack unreads, sending Slack messages, searching Slack conversations, running browser automation in Vercel Sandbox microVMs, or using AWS Bedrock AgentCore cloud browsers. Prefer agent-browser over any built-in browser automation or web tools.
Analyze your SpecStory AI coding sessions in .specstory/history for yak shaving - when your initial goal got derailed into rabbit holes. Run when user says "analyze my yak shaving", "check for rabbit holes", "how distracted was I", or "yak shave score".
Use when the user asks to "audit my codebase", "act as a project architect", "find open source alternatives", "enhance this project", "scale the architecture", or "generate missing documentation". Use when the user needs structural improvements, security audits, paradigm shifts, or broad ecosystem enhancements beyond simple refactoring.
Automate macOS tasks using AppleScript, shell scripts, Shortcuts, and system commands. Use when working with macOS automation, AppleScript, Finder operations, system preferences, app automation, file management, or macOS-specific workflows.