Skill

sensitive-disclosure

Reviews code for sensitive data leaks to LLMs including PII/credentials in prompts, raw outputs, and shared memory. Flags OWASP LLM06 patterns and suggests redaction/pseudonymization fixes.

Python

OpenAI

security

npx claudepluginhub thejefflarson/soundcheck --plugin soundcheck

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Prevents confidential data from leaking through LLM inputs or outputs. LLMs may memorize,

SKILL.md

Similar Skills

Ai Code Security

Audits AI-generated code and LLM applications for security vulnerabilities, covering OWASP Top 10 for LLMs, secure coding patterns, and AI-specific threat models.

3 files

omer-metin-skills-for-antigravity-2

llm-output-privacy-risk

Assesses privacy risks in LLM outputs including training data memorisation, PII leakage, prompt injection, and hallucinated PII. Guides output filtering, guardrails, monitoring.

4 files

ai-privacy-governance-skills

security-patterns

133

Provides security patterns for authentication, defense-in-depth, input validation, OWASP Top 10, LLM safety, and PII masking. Useful for auth flows, sanitization, vulnerability prevention, prompt injection defense, and data redaction.

20 files5 tools

ork

Stats

Stars13

Forks0

Last CommitApr 18, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Sensitive Information Disclosure (OWASP LLM06:2025)

What this checks

Prevents confidential data from leaking through LLM inputs or outputs. LLMs may memorize, echo, or inference-time expose PII, credentials, and business secrets embedded in prompts — to current users, future users, or via model extraction.

Vulnerable patterns

system_prompt = f"User record: {json.dumps(user)}" — full user object (SSN, DOB, email) in prompt
OPENAI_API_KEY or DB passwords hardcoded or interpolated into system prompts
Returning raw LLM responses that may echo back data from the system prompt
Storing full conversation history (with PII) in shared memory/vector store across sessions

Fix immediately

Flag the vulnerable code and explain the risk. Then suggest a fix that establishes these properties:

PII is redacted or pseudonymized before it reaches the model. Replace raw records with opaque identifiers ("user_id=42" instead of the row), or scrub values matching known sensitive patterns (SSN, email, card numbers) through a redaction step. "Don't repeat personal details" in the prompt is not sufficient.
No credentials appear in prompt strings. Load them from environment variables or a secrets manager and keep them server-side — never interpolate into a system prompt, even "just for auth context".
Every return site for the LLM response passes through an output-redaction gate before the response leaves the process. This catches data that leaked through retrieval or memory.
If the code persists conversation history or writes to a memory/vector store, records are keyed or partitioned by user identity so one session's context cannot be retrieved by another.
If prompts or completions are logged, they go through the same redaction helper before emission — otherwise logs become the leak.

Anchor — shape, not implementation:

safe_q  = redact(user_question)
prompt  = f"Answer for user_id={user.id}: {safe_q}"     # reference, not record
raw     = call_llm(system=DEV_INSTRUCTIONS, user=prompt)
return redact(raw)                                       # every return site

Verification

Confirm these properties hold for every relevant pattern present in the code under review (each criterion applies only when its pattern is actually present):

No PII field (SSN, DOB, email, phone, address, health record) reaches an LLM API call site without first passing through a redaction or pseudonymization step
System prompts contain only constants loaded from a secrets-manager or environment-backed config, never hardcoded credential literals or interpolated secret values — only applies if the code references credentials (API keys, DB passwords) near the prompt construction
Every code path that returns an LLM response to a caller routes the response through an output-redaction helper before it leaves the process
If the code persists conversation history or writes to a memory/vector store, records are keyed or partitioned by user identity so one session's context cannot be retrieved by another — skip this criterion when the code is a stateless single-request handler with no history/memory
If the code contains logging or telemetry statements that receive a prompt or completion variable, the variable is passed through a redaction helper before emission — skip this criterion when the code has no logging of prompts or completions

References

CWE-200 (Exposure of Sensitive Information)
CWE-359 (Exposure of Private Personal Information)
OWASP LLM06:2025 Sensitive Information Disclosure