From gist-writer
Pre-flight PII / sensitive-data scrub for content about to be posted to a public GitHub gist. Identifies IPs, hostnames, MACs, emails, tokens, secrets, and home-directory usernames; proposes redactions; confirms with the user before any public publish. Invoked automatically by claude-solution-gist and debug-writeup-gist when visibility=public; can also be run standalone.
npx claudepluginhub danielrosehill/claude-code-plugins --plugin gist-writerThis skill uses the workspace's default tool permissions.
This skill runs before any **public** gist is created. For private gists it can be skipped (private gists are still on GitHub and indexable, but the bar is the user's call).
Prevents silent decimal mismatch bugs in EVM ERC-20 tokens via runtime decimals lookup, chain-aware caching, bridged-token handling, and normalization. For DeFi bots, dashboards using Python/Web3, TypeScript/ethers, Solidity.
Share bugs, ideas, or general feedback.
This skill runs before any public gist is created. For private gists it can be skipped (private gists are still on GitHub and indexable, but the bar is the user's call).
Two passes — regex first (fast, catches the obvious), then a structured review pass (catches context-sensitive leaks).
Flag every match. Don't auto-replace; surface them all and let the user decide per category.
| Category | Patterns / examples |
|---|---|
| IPv4 (private/public) | \b(?:\d{1,3}\.){3}\d{1,3}\b — but ignore 0.0.0.0, 127.0.0.1, 255.255.255.0, common docs ranges (192.0.2.*, 198.51.100.*, 203.0.113.*) |
| IPv6 | standard IPv6 patterns; ignore ::1 |
| MAC | \b(?:[0-9A-Fa-f]{2}[:-]){5}[0-9A-Fa-f]{2}\b |
| Emails | [\w.+-]+@[\w-]+\.[\w.-]+ |
| Hostnames (likely-private) | *.local, *.lan, *.home, *.internal, *.corp |
| Home-dir usernames | /home/<user>/, /Users/<user>/, /root/ (root is usually fine but flag for review) |
| API keys / tokens | sk-[A-Za-z0-9]{20,}, ghp_[A-Za-z0-9]{36}, github_pat_[A-Za-z0-9_]{82}, xox[baprs]-[A-Za-z0-9-]+ (Slack), AKIA[0-9A-Z]{16} (AWS), JWTs (eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+), generic Bearer [A-Za-z0-9._-]+ |
| Passwords / secrets in env-style lines | `(?i)(password |
| SSH private keys | `-----BEGIN (OPENSSH |
| AWS account IDs | \b\d{12}\b in AWS-context lines |
After regex, re-read the document and look for:
cloudpi.local, ops-vps-01, prod-db-eu.~/Documents/Clients/<RealClient>/).Produce a redaction report before the gist is created:
=== PII / Sensitive Data Scan ===
🔴 BLOCKING (must redact or abort):
- SSH private key at line 42
🟡 LIKELY SENSITIVE (recommend redact):
- IPv4 10.0.0.42 at line 17 (private RFC1918 → recommend `10.0.0.X`)
- IPv4 91.123.45.67 at line 19 (public; could fingerprint host → recommend `<public-vps-ip>`)
- Hostname `daniel-desktop.local` at line 23 → recommend `<workstation>.local`
- Path `/home/daniel/repos/...` at line 31 → recommend `~/repos/...`
🟢 LOW RISK (review):
- Email `public@example.com` at line 5 — looks intentional?
Apply redactions? [Y / select-categories / abort]
When the user accepts a redaction, replace with a clearly-marked placeholder, not deletion:
<lan-ip> / <public-ip> / <vps-ip> (descriptive when possible)<workstation> / <server> / <host>.local~/... for home dirs<REDACTED-TOKEN><email> or keep if it's the public author emailMarkers help future readers understand what kind of value belonged there.
Abort and refuse to publish (don't just warn) if:
.pem body is present.git remote -v output for a private repo is embedded.When invoked directly (not as a pre-flight), run the same two passes against a file or pasted content and produce the same report. Don't modify the source unless asked.