From appsec
This skill should be used when the user asks to "check for personal data disclosure", "analyze PII exposure", "find privacy issues related to data leakage", "check for unauthorized data sharing", or mentions "disclosure" in a privacy context. Maps to LINDDUN category D2. Focuses specifically on PERSONAL data disclosure, complementing STRIDE information disclosure.
npx claudepluginhub florianbuetow/claude-code --plugin appsecThis skill uses the workspace's default tool permissions.
Analyze source code for disclosure threats where personal data is accessible to
Acquire memory dumps from live systems/VMs and analyze with Volatility 3 for processes, networks, DLLs, injections in incident response or malware hunts.
Provides x86-64/ARM disassembly patterns, calling conventions, control flow recognition for static analysis of executables and compiled binaries.
Identifies anti-debugging checks like IsDebuggerPresent, NtQueryInformationProcess in Windows binaries; suggests bypasses via patches/hooks/scripts for malware analysis, CTFs, authorized RE.
Analyze source code for disclosure threats where personal data is accessible to unauthorized parties. Focuses specifically on personal and sensitive data rather than general system information. Covers direct disclosure (data breach vectors) and indirect disclosure (third-party sharing, over-collection).
Read ../../shared/schemas/flags.md for full flag
documentation. This skill supports all cross-cutting flags.
| Flag | Disclosure-Specific Behavior |
|---|---|
--scope | Default changed. Focuses on files handling personal data: API handlers, data models, logging, caching, third-party integrations, and error handling. |
--depth quick | Grep patterns only: scan for PII in logs, error messages, and third-party data sharing. |
--depth standard | Full code read, trace personal data flows within each file, check access controls on personal data stores. |
--depth deep | Cross-file personal data flow tracing. Map all paths where PII exits the application boundary. |
--depth expert | Deep + breach simulation: model what personal data is exposed in each attack scenario. |
--severity | Filter output. PII in logs is typically high; over-fetching is medium. |
--fix | Generate redaction, field-level access control, and data minimization replacements. |
LINDDUN D2 -- Disclosure of Information
Disclosure of information in the LINDDUN context refers specifically to
unauthorized access to personal data. Read
../../shared/frameworks/linddun.md for the
full LINDDUN framework reference including the distinction between LINDDUN
disclosure (personal data focus) and STRIDE information disclosure (general
system information).
Privacy Property Violated: Confidentiality of Personal Data
STRIDE Mapping: Information Disclosure (LINDDUN narrows focus specifically to personal data rather than general system information)
--scope flag (default: changed).Read each scoped file and assess personal data exposure vectors:
At --depth deep or --depth expert, trace all paths where personal data
exits the application boundary and map the full disclosure surface.
Output findings per ../../shared/schemas/findings.md.
Each finding needs: DDSCL-NNN id, title, severity (based on data sensitivity
and exposure scope), location with snippet, description of what personal data is
disclosed and through which channel, impact (unauthorized data access), fix
(redaction, minimization, or encryption), and CWE/LINDDUN references.
log\.\w+\(.*email|logger\.\w+\(.*password|console\.log\(.*ssn|print\(.*credit.cardres\.json\(user\)|response\.send\(userData\)|SELECT \*.*FROM.*user|\.toJSON\(\)Sentry\.captureException.*user|analytics\.track.*email|gtag.*user_id|bugsnag.*userres\.status\(.*\.json\(.*user|catch.*res\.send\(.*err|error.*message.*email\?email=|&phone=|/users/\$\{email\}|encodeURIComponent\(.*email\)|queryString.*ssnpassword.*varchar|ssn.*text|credit_card.*string|healthData.*column|plaintext.*piicache\.set\(.*user|redis\.set\(.*email|localStorage\.setItem\(.*token|sessionStorage.*userSELECT \*|findAll\(\)|\.find\(\{\}\)|\.aggregate\(\[|include:.*all| Regulation | Provision | Relevance |
|---|---|---|
| GDPR Art. 5(1)(f) | Integrity and confidentiality | Personal data must be protected against unauthorized disclosure |
| GDPR Art. 32 | Security of processing | Appropriate technical measures to protect personal data |
| GDPR Art. 33-34 | Breach notification | Disclosure of personal data triggers 72-hour notification |
| CCPA 1798.100 | Right to know | Consumers must know what personal data is collected and shared |
| CCPA 1798.150 | Private right of action | Data breaches exposing personal data create liability |
| HIPAA 164.312 | Technical safeguards | Protected health information requires access controls and encryption |
Use finding ID prefix DDSCL (e.g., DDSCL-001, DDSCL-002).
All findings follow the schema in
../../shared/schemas/findings.md with:
references.cwe: CWE-200, CWE-311, or CWE-532 as appropriatereferences.owasp: A01:2021 (Broken Access Control) or A02:2021 (Cryptographic Failures)metadata.tool: "data-disclosure"metadata.framework: "linddun"metadata.category: "D2"Summary table after all findings:
| Disclosure Pattern | Critical | High | Medium | Low |
|------------------------------|----------|------|--------|-----|
| PII in logs | | | | |
| Over-fetched API responses | | | | |
| Third-party data sharing | | | | |
| PII in error messages | | | | |
| Personal data in URLs | | | | |
| Plaintext PII storage | | | | |
| Cache / temp storage leaks | | | | |
Followed by: top 3 priorities, personal data flow map, and overall assessment.