From repomix-safe-mixer
Scans codebases for hardcoded credentials before packaging with repomix. Blocks packaging if secrets are found, or forces packaging after cleanup.
How this skill is triggered — by the user, by Claude, or both
Slash command
/repomix-safe-mixer:repomix-safe-mixerThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Safely package codebases with repomix by automatically detecting and removing hardcoded credentials.
Safely package codebases with repomix by automatically detecting and removing hardcoded credentials.
This skill prevents accidental credential exposure when packaging code with repomix. It scans for hardcoded secrets (API keys, database credentials, tokens), reports findings, and ensures safe packaging.
When to use: When packaging code with repomix for distribution, creating shareable reference packages, or whenever security concerns exist about hardcoded credentials in code.
Use safe_pack.py from this skill's scripts/ directory for the complete workflow: scan → report → pack.
python3 scripts/safe_pack.py <directory>
What it does:
Example:
python3 scripts/safe_pack.py ./my-project
Output if clean:
🔍 Scanning ./my-project for hardcoded secrets...
✅ No secrets detected!
📦 Packing ./my-project with repomix...
✅ Packaging complete!
Package is safe to distribute.
Output if secrets found:
🔍 Scanning ./my-project for hardcoded secrets...
⚠️ Security Scan Found 3 Potential Secrets:
🔴 supabase_url: 1 instance(s)
- src/client.ts:5
Match: https://your-project-ref.supabase.co
❌ Cannot pack: Secrets detected!
Custom output file:
python3 scripts/safe_pack.py \
./my-project \
--output package.xml
With repomix config:
python3 scripts/safe_pack.py \
./my-project \
--config repomix.config.json
Exclude patterns from scanning:
python3 scripts/safe_pack.py \
./my-project \
--exclude '.*test.*' '.*\.example'
Force pack (dangerous, skip scan):
python3 scripts/safe_pack.py \
./my-project \
--force # ⚠️ NOT RECOMMENDED
Use scan_secrets.py from this skill's scripts/ directory for scanning only (without packing).
python3 scripts/scan_secrets.py <directory>
Use cases:
Example:
python3 scripts/scan_secrets.py ./my-project
JSON output for programmatic use:
python3 scripts/scan_secrets.py \
./my-project \
--json
Exclude patterns:
python3 scripts/scan_secrets.py \
./my-project \
--exclude '.*test.*' '.*example.*' '.*SECURITY_AUDIT\.md'
The scanner detects common credential patterns including:
Cloud Providers:
AKIA...)API Keys:
sk_live_..., pk_live_...)sk-...)AIza...)Authentication:
eyJ...)-----BEGIN PRIVATE KEY-----)0x...)See references/common_secrets.md for complete list and patterns.
When secrets are found:
Examine each finding to verify it's a real credential (not a placeholder or example).
Before:
const SUPABASE_URL = "https://your-project-ref.supabase.co";
const API_KEY = "<hardcoded-anon-key-DO-NOT-COMMIT>";
After:
const SUPABASE_URL = import.meta.env.VITE_SUPABASE_URL || "https://your-project-ref.supabase.co";
const API_KEY = import.meta.env.VITE_API_KEY || "your-api-key-here";
// Validation
if (!import.meta.env.VITE_SUPABASE_URL) {
console.error("⚠️ Missing VITE_SUPABASE_URL environment variable");
}
# Example environment variables
VITE_SUPABASE_URL=https://your-project-ref.supabase.co
VITE_API_KEY=your-api-key-here
# Instructions:
# 1. Copy this file to .env
# 2. Replace placeholders with real values
# 3. Never commit .env to version control
Run scanner again to confirm secrets removed:
python3 scripts/scan_secrets.py ./my-project
Once clean, package safely:
python3 scripts/safe_pack.py ./my-project
If credentials were already exposed (e.g., committed to git, shared publicly):
The scanner skips common false positives:
Placeholders:
your-api-key, example-key, placeholder-value<YOUR_API_KEY>, ${API_KEY}, TODO: add keyTest/Example files:
.*test.*, .*example.*, .*sample.*Comments:
//, #, /*, *Environment variable references (correct usage):
process.env.API_KEYimport.meta.env.VITE_API_KEYDeno.env.get('API_KEY')Use --exclude to skip additional patterns if needed.
This skill works with standard repomix:
Default usage (no config):
python3 scripts/safe_pack.py ./project
With repomix config:
python3 scripts/safe_pack.py \
./project \
--config repomix.config.json
Custom output location:
python3 scripts/safe_pack.py \
./project \
--output ~/Downloads/package-clean.xml
The skill runs repomix internally after security validation, passing through config and output options.
# Scan and pack in one command
python3 scripts/safe_pack.py \
~/workspace/my-project \
--output ~/Downloads/my-project-package.xml
# Step 1: Scan to discover secrets
python3 scripts/scan_secrets.py ~/workspace/my-project
# Step 2: Review findings and replace credentials with env vars
# (Edit files manually or with automation)
# Step 3: Verify cleanup
python3 scripts/scan_secrets.py ~/workspace/my-project
# Step 4: Package safely
python3 scripts/safe_pack.py \
~/workspace/my-project \
--output ~/Downloads/my-project-clean.xml
# Pre-commit hook: scan for secrets
python3 scripts/scan_secrets.py . --json
# Exit code 1 if secrets found (blocks commit)
# Exit code 0 if clean (allows commit)
References:
references/common_secrets.md - Complete credential pattern catalogScripts:
scripts/scan_secrets.py - Standalone security scannerscripts/safe_pack.py - Complete scan → pack workflowRelated Skills:
repomix-unmixer - Extracts files from repomix packagesskill-creator - Creates new Claude Code skillsThis skill detects common patterns but may not catch all credential types. Always:
Not a replacement for: Secret scanning in CI/CD, git history scanning, or comprehensive security audits.
npx claudepluginhub p/daymade-repomix-safe-mixer-repomix-safe-mixerScans codebases for exposed credentials including API keys, passwords, and private keys. Activates on queries about secret scanning or credential leaks.
Packs an external repository into a single AI-friendly file (markdown/xml/json) for third-party analysis, security audits, or handoff to external LLMs.
Detects leaked secrets, API keys, passwords, and tokens in git repositories using gitleaks. Automatically sets up pre-commit hooks to scan staged files and block commits containing secrets.