repomix-safe-mixer

0
1
Source

Safely package codebases with repomix by automatically detecting and removing hardcoded credentials before packing. Use when packaging code for distribution, creating reference packages, or when the user mentions security concerns about sharing code with repomix.

Install

mkdir -p .claude/skills/repomix-safe-mixer && curl -L -o skill.zip "https://mcp.directory/api/skills/download/4969" && unzip -o skill.zip -d .claude/skills/repomix-safe-mixer && rm skill.zip

Installs to .claude/skills/repomix-safe-mixer

About this skill

Repomix Safe Mixer

Overview

Safely package codebases with repomix by automatically detecting and removing hardcoded credentials.

This skill prevents accidental credential exposure when packaging code with repomix. It scans for hardcoded secrets (API keys, database credentials, tokens), reports findings, and ensures safe packaging.

When to use: When packaging code with repomix for distribution, creating shareable reference packages, or whenever security concerns exist about hardcoded credentials in code.

Core Workflow

Standard Safe Packaging

Use safe_pack.py from this skill's scripts/ directory for the complete workflow: scan → report → pack.

python3 scripts/safe_pack.py <directory>

What it does:

  1. Scans directory for hardcoded credentials
  2. Reports findings with file/line details
  3. Blocks packaging if secrets found
  4. Packs with repomix only if scan is clean

Example:

python3 scripts/safe_pack.py ./my-project

Output if clean:

🔍 Scanning ./my-project for hardcoded secrets...
✅ No secrets detected!
📦 Packing ./my-project with repomix...
✅ Packaging complete!
   Package is safe to distribute.

Output if secrets found:

🔍 Scanning ./my-project for hardcoded secrets...
⚠️  Security Scan Found 3 Potential Secrets:

🔴 supabase_url: 1 instance(s)
   - src/client.ts:5
     Match: https://ghyttjckzmzdxumxcixe.supabase.co

❌ Cannot pack: Secrets detected!

Options

Custom output file:

python3 scripts/safe_pack.py \
  ./my-project \
  --output package.xml

With repomix config:

python3 scripts/safe_pack.py \
  ./my-project \
  --config repomix.config.json

Exclude patterns from scanning:

python3 scripts/safe_pack.py \
  ./my-project \
  --exclude '.*test.*' '.*\.example'

Force pack (dangerous, skip scan):

python3 scripts/safe_pack.py \
  ./my-project \
  --force  # ⚠️ NOT RECOMMENDED

Standalone Secret Scanning

Use scan_secrets.py from this skill's scripts/ directory for scanning only (without packing).

python3 scripts/scan_secrets.py <directory>

Use cases:

  • Verify cleanup after removing credentials
  • Pre-commit security checks
  • Audit existing codebases

Example:

python3 scripts/scan_secrets.py ./my-project

JSON output for programmatic use:

python3 scripts/scan_secrets.py \
  ./my-project \
  --json

Exclude patterns:

python3 scripts/scan_secrets.py \
  ./my-project \
  --exclude '.*test.*' '.*example.*' '.*SECURITY_AUDIT\.md'

Detected Secret Types

The scanner detects common credential patterns including:

Cloud Providers:

  • AWS Access Keys (AKIA...)
  • Cloudflare R2 Account IDs and Access Keys
  • Supabase Project URLs and Anon Keys

API Keys:

  • Stripe Keys (sk_live_..., pk_live_...)
  • OpenAI API Keys (sk-...)
  • Google Gemini API Keys (AIza...)
  • Generic API Keys

Authentication:

  • JWT Tokens (eyJ...)
  • OAuth Client Secrets
  • Private Keys (-----BEGIN PRIVATE KEY-----)
  • Turnstile Keys (0x...)

See references/common_secrets.md for complete list and patterns.

Handling Detected Secrets

When secrets are found:

Step 1: Review Findings

Examine each finding to verify it's a real credential (not a placeholder or example).

Step 2: Replace with Environment Variables

Before:

const SUPABASE_URL = "https://ghyttjckzmzdxumxcixe.supabase.co";
const API_KEY = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...";

After:

const SUPABASE_URL = import.meta.env.VITE_SUPABASE_URL || "https://your-project-ref.supabase.co";
const API_KEY = import.meta.env.VITE_API_KEY || "your-api-key-here";

// Validation
if (!import.meta.env.VITE_SUPABASE_URL) {
  console.error("⚠️ Missing VITE_SUPABASE_URL environment variable");
}

Step 3: Create .env.example

# Example environment variables
VITE_SUPABASE_URL=https://your-project-ref.supabase.co
VITE_API_KEY=your-api-key-here

# Instructions:
# 1. Copy this file to .env
# 2. Replace placeholders with real values
# 3. Never commit .env to version control

Step 4: Verify Cleanup

Run scanner again to confirm secrets removed:

python3 scripts/scan_secrets.py ./my-project

Step 5: Safe Pack

Once clean, package safely:

python3 scripts/safe_pack.py ./my-project

Post-Exposure Actions

If credentials were already exposed (e.g., committed to git, shared publicly):

  1. Rotate credentials immediately - Generate new keys/tokens
  2. Revoke old credentials - Disable compromised credentials
  3. Audit usage - Check logs for unauthorized access
  4. Monitor - Set up alerts for unusual activity
  5. Update deployment - Deploy code with new credentials
  6. Document incident - Record what was exposed and actions taken

Common False Positives

The scanner skips common false positives:

Placeholders:

  • your-api-key, example-key, placeholder-value
  • <YOUR_API_KEY>, ${API_KEY}, TODO: add key

Test/Example files:

  • Files matching .*test.*, .*example.*, .*sample.*

Comments:

  • Lines starting with //, #, /*, *

Environment variable references (correct usage):

  • process.env.API_KEY
  • import.meta.env.VITE_API_KEY
  • Deno.env.get('API_KEY')

Use --exclude to skip additional patterns if needed.

Integration with Repomix

This skill works with standard repomix:

Default usage (no config):

python3 scripts/safe_pack.py ./project

With repomix config:

python3 scripts/safe_pack.py \
  ./project \
  --config repomix.config.json

Custom output location:

python3 scripts/safe_pack.py \
  ./project \
  --output ~/Downloads/package-clean.xml

The skill runs repomix internally after security validation, passing through config and output options.

Example Workflows

Workflow 1: Package a Clean Project

# Scan and pack in one command
python3 scripts/safe_pack.py \
  ~/workspace/my-project \
  --output ~/Downloads/my-project-package.xml

Workflow 2: Clean and Package a Project with Secrets

# Step 1: Scan to discover secrets
python3 scripts/scan_secrets.py ~/workspace/my-project

# Step 2: Review findings and replace credentials with env vars
# (Edit files manually or with automation)

# Step 3: Verify cleanup
python3 scripts/scan_secrets.py ~/workspace/my-project

# Step 4: Package safely
python3 scripts/safe_pack.py \
  ~/workspace/my-project \
  --output ~/Downloads/my-project-clean.xml

Workflow 3: Audit Before Commit

# Pre-commit hook: scan for secrets
python3 scripts/scan_secrets.py . --json

# Exit code 1 if secrets found (blocks commit)
# Exit code 0 if clean (allows commit)

Resources

References:

  • references/common_secrets.md - Complete credential pattern catalog

Scripts:

  • scripts/scan_secrets.py - Standalone security scanner
  • scripts/safe_pack.py - Complete scan → pack workflow

Related Skills:

  • repomix-unmixer - Extracts files from repomix packages
  • skill-creator - Creates new Claude Code skills

Security Note

This skill detects common patterns but may not catch all credential types. Always:

  • Review findings manually
  • Rotate exposed credentials
  • Use .env.example templates
  • Validate environment variables
  • Monitor for unauthorized access

Not a replacement for: Secret scanning in CI/CD, git history scanning, or comprehensive security audits.

ppt-creator

daymade

Create professional slide decks from topics or documents. Generates structured content with data-driven charts, speaker notes, and complete PPTX files. Applies persuasive storytelling principles (Pyramid Principle, assertion-evidence). Supports multiple formats (Marp, PowerPoint). Use for presentations, pitches, slide decks, or keynotes.

13088

macos-cleaner

daymade

Analyze and reclaim macOS disk space through intelligent cleanup recommendations. This skill should be used when users report disk space issues, need to clean up their Mac, or want to understand what's consuming storage. Focus on safe, interactive analysis with user confirmation before any deletions.

3418

qa-expert

daymade

This skill should be used when establishing comprehensive QA testing processes for any software project. Use when creating test strategies, writing test cases following Google Testing Standards, executing test plans, tracking bugs with P0-P4 classification, calculating quality metrics, or generating progress reports. Includes autonomous execution capability via master prompts and complete documentation templates for third-party QA team handoffs. Implements OWASP security testing and achieves 90% coverage targets.

2816

markdown-tools

daymade

Converts documents to markdown with multi-tool orchestration for best quality. Supports Quick Mode (fast, single tool) and Heavy Mode (best quality, multi-tool merge). Use when converting PDF/DOCX/PPTX files to markdown, extracting images from documents, validating conversion quality, or needing LLM-optimized document output.

4410

repomix-unmixer

daymade

Extracts files from repomix-packed repositories, restoring original directory structures from XML/Markdown/JSON formats. Activates when users need to unmix repomix files, extract packed repositories, restore file structures from repomix output, or reverse the repomix packing process.

246

teams-channel-post-writer

daymade

Creates educational Teams channel posts for internal knowledge sharing about Claude Code features, tools, and best practices. Applies when writing posts, announcements, or documentation to teach colleagues effective Claude Code usage, announce new features, share productivity tips, or document lessons learned. Provides templates, writing guidelines, and structured approaches emphasizing concrete examples, underlying principles, and connections to best practices like context engineering. Activates for content involving Teams posts, channel announcements, feature documentation, or tip sharing.

925

You might also like

ui-ux-pro-max

nextlevelbuilder

"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."

2,8892,530

pdf-to-markdown

aliceisjustplaying

Convert entire PDF documents to clean, structured Markdown for full context loading. Use this skill when the user wants to extract ALL text from a PDF into context (not grep/search), when discussing or analyzing PDF content in full, when the user mentions "load the whole PDF", "bring the PDF into context", "read the entire PDF", or when partial extraction/grepping would miss important context. This is the preferred method for PDF text extraction over page-by-page or grep approaches.

3,8201,662

flutter-development

aj-geddes

Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.

2,1561,645

drawio-diagrams-enhanced

jgtolentino

Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.

2,2691,469

godot

bfollington

This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.

2,4741,225

nano-banana-pro

garg-aayush

Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.

1,961969