{"id":"a8705e31-98d3-46f4-a71a-875838ee90b3","shortId":"xPP4wv","kind":"skill","title":"secrets-logging-privacy-audit","tagline":"Use this skill to audit secrets, PII, logs, traces, metrics, debug endpoints, and error responses. Do not use it for general performance review.","description":"# secrets-logging-privacy-audit\n\n## English\n\n### Purpose\n\nAudit secrets, logging, privacy, and telemetry risk.\n\n### Workflow\n\n1. Identify sensitive data.\n2. Trace logging/error/metrics/tracing paths.\n3. Check redaction and access control.\n4. Review debug endpoints and artifacts.\n5. Output findings and redaction tests.\n\n### Safety rules\n\nDo not print secrets. Do not store sensitive data in reports.\n\n\n### Canonical finding format\n\n```yaml\nid: F-001\nseverity: Critical | High | Medium | Low | Informational\nconfidence: High | Medium | Low\ncategory:\naffected_code:\nroot_cause:\nexploit_path:\npreconditions:\nimpact:\nevidence:\nminimal_fix:\nregression_test:\nauto_fix_suitability: Safe | Needs Human Review | Do Not Auto-Fix\nnotes:\n```\n\n### v0.6 operational guardrails\n\n- Keep the skill within its stated trigger conditions and the user's explicitly provided scope.\n- Preserve project safety boundaries: audit-only by default; Do not execute exploits, Do not auto-merge, Do not upload private source code or secrets, and do not scan unrelated repositories without explicit user request.\n- Ask for explicit human approval before patching high-risk auth, IAM, governance, funds, terminal, or agent-tooling behavior.\n- Report validation performed, files changed, residual risk, and any skipped future-phase work when finished.\n\n## 中文\n\n### 目的\n\n使用这个 skill 进行Secrets、日志与隐私审计。它应该帮助审查者把输入边界、风险证据、影响、修复建议和回归测试组织成可复核的安全输出。\n\n### 触发条件\n\n适用于 secret、PII、log、trace、metric、debug endpoint、error response 和 artifact 脱敏风险。如果请求超出这些边界，先说明范围差异，并选择更合适的 prompt、skill 或人工 review 路径。\n\n### 不适用场景\n\n不要用于通用性能 review、无敏感数据路径的 UI 文案 review 或法律隐私意见。不要把这个 skill 当作自动扫描整个仓库、执行 exploit、上传私有源码或 secrets、自动提交、自动推送或 auto-merge 的许可。\n\n### 操作流程\n\n1. 明确用户给出的目标、允许查看的材料和不能触碰的范围。\n2. 收集必要上下文，但只读取完成任务所需的文件、diff、workflow、fixture 或文档。\n3. 识别 trust boundary、privileged operation、sensitive data、preconditions 和 security impact。\n4. 只报告有 evidence 的 finding；缺少上下文时写 question 或 assumption。\n5. 为 confirmed issue 提出 minimal fix，并规划redaction、PII 不入日志、debug endpoint 授权和错误响应不泄露内部信息的测试。\n6. 完成后报告验证输出、残余风险和需要人工确认的事项。\n\n### 安全规则\n\n默认 audit-only。未经明确授权，不 patch、不 commit、不 push、不创建 PR、不 merge。不要执行 exploit，不要访问生产系统，不要打印 secrets。涉及 IAM、authz 模型、资金、治理、terminal 执行或 agent-tooling 权限的修复必须进入人工 review。\n\n### 输出要求\n\n使用 canonical finding format。每个 finding 都要包含 severity、confidence、category、affected_code、root_cause、exploit_path、preconditions、impact、evidence、minimal_fix、regression_test、auto_fix_suitability 和 notes。","tags":["secrets","logging","privacy","audit","security","playbook","edmund-xl","agent-skills","chatgpt","codex","devsecops","mcp"],"capabilities":["skill","source-edmund-xl","skill-secrets-logging-privacy-audit","topic-agent-skills","topic-audit","topic-chatgpt","topic-codex","topic-devsecops","topic-mcp","topic-security","topic-smart-contracts"],"categories":["ai-security-audit-playbook"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/edmund-xl/ai-security-audit-playbook/secrets-logging-privacy-audit","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add edmund-xl/ai-security-audit-playbook","source_repo":"https://github.com/edmund-xl/ai-security-audit-playbook","install_from":"skills.sh"}},"qualityScore":"0.453","qualityRationale":"deterministic score 0.45 from registry signals: · indexed on github topic:agent-skills · 7 github stars · SKILL.md body (2,433 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T19:13:44.186Z","embedding":null,"createdAt":"2026-05-18T13:21:29.778Z","updatedAt":"2026-05-18T19:13:44.186Z","lastSeenAt":"2026-05-18T19:13:44.186Z","tsv":"'-001':89 '1':44,271 '2':48,274 '3':52,281 '4':58,293 '5':64,302 '6':315 'access':56 'affect':101,363 'agent':198,348 'agent-tool':197,347 'approv':185 'artifact':63,239 'ask':181 'assumpt':301 'audit':5,10,33,36,150,321 'audit-on':149,320 'auth':191 'authz':341 'auto':114,124,161,267,376 'auto-fix':123 'auto-merg':160,266 'behavior':200 'boundari':148,284 'canon':83,354 'categori':100,362 'caus':104,366 'chang':205 'check':53 'code':102,168,364 'commit':327 'condit':137 'confid':96,361 'confirm':304 'control':57 'critic':91 'data':47,80,288 'debug':16,60,234,312 'default':153 'diff':277 'endpoint':17,61,235,313 'english':34 'error':19,236 'evid':109,295,371 'execut':156 'explicit':142,178,183 'exploit':105,157,261,335,367 'f':88 'file':204 'find':66,84,297,355,358 'finish':216 'fix':111,115,125,308,373,377 'fixtur':279 'format':85,356 'fund':194 'futur':212 'future-phas':211 'general':26 'govern':193 'guardrail':129 'high':92,97,189 'high-risk':188 'human':119,184 'iam':192,340 'id':87 'identifi':45 'impact':108,292,370 'inform':95 'issu':305 'keep':130 'log':3,13,31,38,231 'logging/error/metrics/tracing':50 'low':94,99 'medium':93,98 'merg':162,268,333 'metric':15,233 'minim':110,307,372 'need':118 'note':126,380 'oper':128,286 'output':65 'patch':187,325 'path':51,106,368 'perform':27,203 'phase':213 'pii':12,230,310 'pr':331 'precondit':107,289,369 'preserv':145 'print':74 'privaci':4,32,39 'privat':166 'privileg':285 'project':146 'prompt':244 'provid':143 'purpos':35 'push':329 'question':299 'redact':54,68 'regress':112,374 'report':82,201 'repositori':176 'request':180 'residu':206 'respons':20,237 'review':28,59,120,247,251,255,351 'risk':42,190,207 'root':103,365 'rule':71 'safe':117 'safeti':70,147 'scan':174 'scope':144 'secret':2,11,30,37,75,170,229,263,338 'secrets-logging-privacy-audit':1,29 'secur':291 'sensit':46,79,287 'sever':90,360 'skill':8,132,220,245,258 'skill-secrets-logging-privacy-audit' 'skip':210 'sourc':167 'source-edmund-xl' 'state':135 'store':78 'suitabl':116,378 'telemetri':41 'termin':195,345 'test':69,113,375 'tool':199,349 'topic-agent-skills' 'topic-audit' 'topic-chatgpt' 'topic-codex' 'topic-devsecops' 'topic-mcp' 'topic-security' 'topic-smart-contracts' 'trace':14,49,232 'trigger':136 'trust':283 'ui':253 'unrel':175 'upload':165 'use':6,23 'user':140,179 'v0.6':127 'valid':202 'within':133 'without':177 'work':214 'workflow':43,278 'yaml':86 '上传私有源码或':262 '不':324,326,328,332 '不入日志':311 '不创建':330 '不要打印':337 '不要执行':334 '不要把这个':257 '不要用于通用性能':250 '不要访问生产系统':336 '不适用场景':249 '中文':217 '为':303 '但只读取完成任务所需的文件':276 '使用':353 '使用这个':219 '修复建议和回归测试组织成可复核的安全输出':226 '允许查看的材料和不能触碰的范围':273 '先说明范围差异':242 '只报告有':294 '和':238,290,379 '如果请求超出这些边界':241 '它应该帮助审查者把输入边界':223 '安全规则':318 '完成后报告验证输出':316 '并规划redact':309 '并选择更合适的':243 '当作自动扫描整个仓库':259 '影响':225 '或':300 '或人工':246 '或文档':280 '或法律隐私意见':256 '执行':260 '执行或':346 '授权和错误响应不泄露内部信息的测试':314 '提出':306 '操作流程':270 '收集必要上下文':275 '文案':254 '无敏感数据路径的':252 '日志与隐私审计':222 '明确用户给出的目标':272 '未经明确授权':323 '权限的修复必须进入人工':350 '模型':342 '残余风险和需要人工确认的事项':317 '每个':357 '治理':344 '涉及':339 '的':296 '的许可':269 '目的':218 '缺少上下文时写':298 '脱敏风险':240 '自动推送或':265 '自动提交':264 '触发条件':227 '识别':282 '资金':343 '路径':248 '输出要求':352 '进行secret':221 '适用于':228 '都要包含':359 '风险证据':224 '默认':319","prices":[{"id":"90dd49c1-541e-43d2-b380-5db79534e1b7","listingId":"a8705e31-98d3-46f4-a71a-875838ee90b3","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"edmund-xl","category":"ai-security-audit-playbook","install_from":"skills.sh"},"createdAt":"2026-05-18T13:21:29.778Z"}],"sources":[{"listingId":"a8705e31-98d3-46f4-a71a-875838ee90b3","source":"github","sourceId":"edmund-xl/ai-security-audit-playbook/secrets-logging-privacy-audit","sourceUrl":"https://github.com/edmund-xl/ai-security-audit-playbook/tree/main/skills/secrets-logging-privacy-audit","isPrimary":false,"firstSeenAt":"2026-05-18T13:21:29.778Z","lastSeenAt":"2026-05-18T19:13:44.186Z"}],"details":{"listingId":"a8705e31-98d3-46f4-a71a-875838ee90b3","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"edmund-xl","slug":"secrets-logging-privacy-audit","github":{"repo":"edmund-xl/ai-security-audit-playbook","stars":7,"topics":["agent-skills","audit","chatgpt","codex","devsecops","mcp","security","smart-contracts"],"license":"mit","html_url":"https://github.com/edmund-xl/ai-security-audit-playbook","pushed_at":"2026-05-13T02:30:26Z","description":"Local-first, audit-only security review playbook for AI coding agents: prompts, skills, read-only MCP, findings, and regression tests.","skill_md_sha":"a28f384fab00cad448638b6c2829cc0643b2cba1","skill_md_path":"skills/secrets-logging-privacy-audit/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/edmund-xl/ai-security-audit-playbook/tree/main/skills/secrets-logging-privacy-audit"},"layout":"multi","source":"github","category":"ai-security-audit-playbook","frontmatter":{"name":"secrets-logging-privacy-audit","description":"Use this skill to audit secrets, PII, logs, traces, metrics, debug endpoints, and error responses. Do not use it for general performance review."},"skills_sh_url":"https://skills.sh/edmund-xl/ai-security-audit-playbook/secrets-logging-privacy-audit"},"updatedAt":"2026-05-18T19:13:44.186Z"}}