Skill

SafeRead

Runtime redaction tools — safe-read strips secrets and

npx claudepluginhub n4m3z/forge-tlp

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Runtime redaction tools for reading protected files and managing their metadata.

Supporting Assets

SKILL.yaml

SKILL.md

Similar Skills

sensitive-content-scanner

Scans files and directories for sensitive content including credentials, API keys, personal identifiers, private URLs, local paths, and security risks before publishing repos, sharing code, or exporting configs.

operator-skills

secret-scanner

Scans code, git history, and configs for secrets like API keys, cloud credentials, private keys, and DB strings using regex, entropy, and context. Assesses severity and generates remediation reports.

devkit

Secret Scanning

Detects hardcoded secrets, API keys, credentials, tokens, and private keys in source code and git history using regex patterns for pentesting and code reviews.

vuln-scout

Stats

Stars2

Forks0

Last CommitFeb 16, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

SafeRead

Runtime redaction tools for reading protected files and managing their metadata.

safe-read

Read a file with inline #tlp/red sections stripped and secrets redacted:

Modules/forge-tlp/bin/safe-read "/path/to/file.md"

RED files are refused entirely — safe-read only handles AMBER and below.

Secret detection

safe-read automatically scans for known API key and credential patterns (sourced from gitleaks) and replaces them with [SECRET REDACTED]. A warning is emitted to stderr when secrets are found.

Coverage includes 45+ services:

Category	Services
AI/ML	Anthropic, OpenAI, OpenRouter
Cloud	AWS, GCP, Azure
Code hosting	GitHub, GitLab
Communication	Slack, Twilio, SendGrid, Mailchimp
Payments	Stripe
Package registries	npm
Databases	MongoDB connection strings
Crypto	PEM private keys, JWTs

Patterns are compiled into a single regex from src/redact/mod.rs. They match token formats (prefix + length + character set), not secret values — so they work without a secrets database.

Redaction modes

safe-read processes two kinds of redaction:

TLP markers — #tlp/red block and inline sections (see /TLP skill for marker syntax)
Secret patterns — regex-matched credentials replaced with [SECRET REDACTED]

Both run in a single pass. TLP redaction runs first, then secret scanning on the remaining content.

blind-metadata

Bulk YAML frontmatter operations without reading file content. Useful for managing tlp: fields across files:

# Set a key on all .md files in a directory
Modules/forge-tlp/bin/blind-metadata set <directory> <key> <value>

# Get a key from all .md files
Modules/forge-tlp/bin/blind-metadata get <directory> <key>

# List files missing a key
Modules/forge-tlp/bin/blind-metadata has <directory> <key>

Supports absolute paths and vault-relative paths (walks up to find .tlp root).

Common operations

# Classify a directory as RED
blind-metadata set Resources/Contacts tlp RED

# Audit which files have TLP frontmatter
blind-metadata has Resources/Journals tlp

# Read TLP values without opening the files
blind-metadata get Resources/Journals tlp

Related Skills

/TLP — classification rules, .tlp config, frontmatter overrides
/SecretScan — commit-time secret scanning with gitleaks

!dispatch skill-load forge-tlp