[Skill] /pii-check — pre-publish PII & secrets audit for repos that had an AI agent working in them

[clewisdev]

I built this skill after running /pii-check on my own repo before making it public and finding things that no traditional scanner would have caught — a handoff.md in git history from three commits ago, absolute paths with my username baked into a config file, and a fixture CSV that looked generated but wasn't.

What it does

/pii-check is a pre-publish audit for Claude Code. Run it before git push --mirror on a private repo, before open-sourcing a project, or before submitting code to a client.

• Git history scan — looks for files deleted from the working tree that are still in every clone's history (deleted ≠ gone); flags commits where credentials were added then removed; walks you through a git filter-repo rewrite with the working-tree-wipe warning most tutorials omit
• Inference-based PII detection — beyond grep patterns, it reasons about combination risk (first name + postcode + employer = identified person), flags fixture data that looks real rather than synthetic, and catches internal hostnames that reveal infrastructure with no credential present
• Agentic-workflow artifacts — explicitly checks for handoff.md, session notes, run logs, and .claude/ directories; these files barely existed as a threat surface two years ago, which is why gitleaks and every other traditional scanner ignores them
• Pattern scan — emails, phone numbers, API key prefixes (sk-, ghp_, AKIA), private keys, absolute user paths, credentials in URLs, partial masks
• Optional pre-commit hook — wires up gitleaks to staged files so future commits are checked automatically

How it's different from the scanners you already know

Tool	Layer	Gap
sensitive-canary	Context window / API egress	Protects the prompt, not the repo — complementary, not overlapping
vibe-guardian / secrets scanners	Pre-commit pattern matching	Secrets only, no history, no PII inference, no agentic artifacts
gitleaks	History + working tree	Secrets/credential patterns only — won't touch handoff files or combination-risk PII

The specific gap: if a repo started as a private AI-assisted workspace, the agentic workflow itself generates context files that contain PII with no credential pattern. No existing tool flags those.

Install

git clone https://github.com/clewisdev/skills.git
cp -r skills/pii-check ~/.claude/skills/pii-check

Then /pii-check in any Claude Code session, or just ask "is it safe to make this public?"

What it doesn't do

• It's a pre-publish checkpoint, not a continuous guard — use sensitive-canary alongside it if you want real-time egress protection
• It can't definitively prove fixture data is synthetic — it flags things that look real and asks you to confirm
• It won't rewrite history for you automatically — it explains what to do and gives you the commands, but history rewrites are destructive and the human should own that step

Repo

github.com/clewisdev/skills — MIT licensed.

Would love feedback on the output format and whether the agentic-artifact checks are catching things people actually hit in practice.

[jimy-r]

The three finds you describe (a handoff.md in history, username-baked paths, a too-real fixture) match exactly what I hit publishing a redacted mirror of an agent workspace. The lesson that generalised: a pre-publish audit catches HEAD, but agent-worked repos keep regenerating leaks, so the point-in-time check wants two standing companions:

1. A pre-commit denylist hook (private identifiers, home-path shapes, email patterns) so leaks die before entering history — history is where your /pii-check found the handoff.md, and once something is in history, erasure is never complete.
2. A CI gate scanning PR added-lines (emails, home paths, credential prefixes) as the backstop for whatever the local hook misses.

One failure mode worth a test case: the denylist leaking itself. Ours once described its own grep patterns in a public changelog line, which printed the private strings verbatim. The scanner needs to exclude its own rule file and any doc quoting it.

Layered this way, your skill becomes the deep periodic audit and the hooks keep the interval between audits safe. Reference implementation (redaction_check.py + CI workflow): https://github.com/jimy-r/agent-workspace-architecture