repomix-safe-mixer

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Repomix Safe Mixer

Overview

概述

Safely package codebases with repomix by automatically detecting and removing hardcoded credentials.

This skill prevents accidental credential exposure when packaging code with repomix. It scans for hardcoded secrets (API keys, database credentials, tokens), reports findings, and ensures safe packaging.

When to use: When packaging code with repomix for distribution, creating shareable reference packages, or whenever security concerns exist about hardcoded credentials in code.

使用repomix安全打包代码库，自动检测并移除硬编码凭据。

这个技能可防止使用repomix打包代码时意外泄露凭据。它会扫描硬编码的机密信息（API密钥、数据库凭据、令牌），报告检测结果，并确保安全打包。

适用场景：当使用repomix打包代码用于分发、创建可共享的参考包，或任何时候对代码中的硬编码凭据存在安全顾虑时。

Core Workflow

核心工作流程

Standard Safe Packaging

标准安全打包

Use

safe_pack.py

from this skill's

scripts/

directory for the complete workflow: scan → report → pack.

bash

python3 scripts/safe_pack.py <directory>

What it does:

Scans directory for hardcoded credentials
Reports findings with file/line details
Blocks packaging if secrets found
Packs with repomix only if scan is clean

Example:

bash

python3 scripts/safe_pack.py ./my-project

Output if clean:

🔍 Scanning ./my-project for hardcoded secrets...
✅ No secrets detected!
📦 Packing ./my-project with repomix...
✅ Packaging complete!
   Package is safe to distribute.

Output if secrets found:

🔍 Scanning ./my-project for hardcoded secrets...
⚠️  Security Scan Found 3 Potential Secrets:

🔴 supabase_url: 1 instance(s)
   - src/client.ts:5
     Match: https://ghyttjckzmzdxumxcixe.supabase.co

❌ Cannot pack: Secrets detected!

使用本技能

scripts/

目录下的

safe_pack.py

完成完整工作流程：扫描→报告→打包。

bash

python3 scripts/safe_pack.py <directory>

功能说明:

扫描目录中的硬编码凭据
报告包含文件/行详情的检测结果
若检测到机密信息则阻止打包
仅当扫描无异常时，才使用repomix进行打包

示例:

bash

python3 scripts/safe_pack.py ./my-project

扫描无异常时的输出:

🔍 正在扫描./my-project中的硬编码机密信息...
✅ 未检测到机密信息!
📦 正在使用repomix打包./my-project...
✅ 打包完成!
   包可安全分发。

检测到机密信息时的输出:

🔍 正在扫描./my-project中的硬编码机密信息...
⚠️ 安全扫描发现3个潜在机密信息:

🔴 supabase_url: 1处匹配
   - src/client.ts:5
     匹配内容: https://ghyttjckzmzdxumxcixe.supabase.co

❌ 无法打包: 检测到机密信息!

Options

可选参数

Custom output file:

bash

python3 scripts/safe_pack.py \
  ./my-project \
  --output package.xml

With repomix config:

bash

python3 scripts/safe_pack.py \
  ./my-project \
  --config repomix.config.json

Exclude patterns from scanning:

bash

python3 scripts/safe_pack.py \
  ./my-project \
  --exclude '.*test.*' '.*\.example'

Force pack (dangerous, skip scan):

bash

python3 scripts/safe_pack.py \
  ./my-project \
  --force  # ⚠️ NOT RECOMMENDED

自定义输出文件:

bash

python3 scripts/safe_pack.py \
  ./my-project \
  --output package.xml

使用repomix配置文件:

bash

python3 scripts/safe_pack.py \
  ./my-project \
  --config repomix.config.json

排除扫描模式:

bash

python3 scripts/safe_pack.py \
  ./my-project \
  --exclude '.*test.*' '.*\.example'

强制打包（危险，跳过扫描）:

bash

python3 scripts/safe_pack.py \
  ./my-project \
  --force  # ⚠️ 不推荐

Standalone Secret Scanning

独立机密信息扫描

Use

scan_secrets.py

from this skill's

scripts/

directory for scanning only (without packing).

bash

python3 scripts/scan_secrets.py <directory>

Use cases:

Verify cleanup after removing credentials
Pre-commit security checks
Audit existing codebases

Example:

bash

python3 scripts/scan_secrets.py ./my-project

JSON output for programmatic use:

bash

python3 scripts/scan_secrets.py \
  ./my-project \
  --json

Exclude patterns:

bash

python3 scripts/scan_secrets.py \
  ./my-project \
  --exclude '.*test.*' '.*example.*' '.*SECURITY_AUDIT\.md'

使用本技能

scripts/

目录下的

scan_secrets.py

仅执行扫描操作（不打包）。

bash

python3 scripts/scan_secrets.py <directory>

适用场景:

验证移除凭据后的清理效果
提交前的安全检查
审计现有代码库

示例:

bash

python3 scripts/scan_secrets.py ./my-project

用于程序化调用的JSON格式输出:

bash

python3 scripts/scan_secrets.py \
  ./my-project \
  --json

排除模式:

bash

python3 scripts/scan_secrets.py \
  ./my-project \
  --exclude '.*test.*' '.*example.*' '.*SECURITY_AUDIT\.md'

Detected Secret Types

可检测的机密信息类型

The scanner detects common credential patterns including:

Cloud Providers:

AWS Access Keys (
```
AKIA...
```
)
Cloudflare R2 Account IDs and Access Keys
Supabase Project URLs and Anon Keys

API Keys:

Stripe Keys (
```
sk_live_...
```
,
```
pk_live_...
```
)
OpenAI API Keys (
```
sk-...
```
)
Google Gemini API Keys (
```
AIza...
```
)
Generic API Keys

Authentication:

JWT Tokens (
```
eyJ...
```
)
OAuth Client Secrets
Private Keys (
```
-----BEGIN PRIVATE KEY-----
```
)
Turnstile Keys (
```
0x...
```
)

See

references/common_secrets.md

for complete list and patterns.

扫描器可检测常见的凭据模式，包括:

云服务商:

AWS访问密钥 (
```
AKIA...
```
)
Cloudflare R2账户ID和访问密钥
Supabase项目URL和匿名密钥

API密钥:

Stripe密钥 (
```
sk_live_...
```
,
```
pk_live_...
```
)
OpenAI API密钥 (
```
sk-...
```
)
Google Gemini API密钥 (
```
AIza...
```
)
通用API密钥

认证信息:

JWT令牌 (
```
eyJ...
```
)
OAuth客户端机密
私钥 (
```
-----BEGIN PRIVATE KEY-----
```
)
Turnstile密钥 (
```
0x...
```
)

完整列表和模式请查看

references/common_secrets.md

。

Handling Detected Secrets

处理检测到的机密信息

When secrets are found:

当发现机密信息时:

Step 1: Review Findings

步骤1: 检查检测结果

Examine each finding to verify it's a real credential (not a placeholder or example).

逐一检查每个检测结果，确认是否为真实凭据（而非占位符或示例）。

Step 2: Replace with Environment Variables

步骤2: 替换为环境变量

Before:

javascript

const SUPABASE_URL = "https://ghyttjckzmzdxumxcixe.supabase.co";
const API_KEY = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...";

After:

javascript

const SUPABASE_URL = import.meta.env.VITE_SUPABASE_URL || "https://your-project-ref.supabase.co";
const API_KEY = import.meta.env.VITE_API_KEY || "your-api-key-here";

// Validation
if (!import.meta.env.VITE_SUPABASE_URL) {
  console.error("⚠️ Missing VITE_SUPABASE_URL environment variable");
}

替换前:

javascript

const SUPABASE_URL = "https://ghyttjckzmzdxumxcixe.supabase.co";
const API_KEY = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...";

替换后:

javascript

const SUPABASE_URL = import.meta.env.VITE_SUPABASE_URL || "https://your-project-ref.supabase.co";
const API_KEY = import.meta.env.VITE_API_KEY || "your-api-key-here";

// 验证
if (!import.meta.env.VITE_SUPABASE_URL) {
  console.error("⚠️ 缺少VITE_SUPABASE_URL环境变量");
}

Step 3: Create .env.example

步骤3: 创建.env.example文件

bash

undefined

bash

undefined

Example environment variables

示例环境变量

VITE_SUPABASE_URL=https://your-project-ref.supabase.co VITE_API_KEY=your-api-key-here

Instructions:

说明:

1. Copy this file to .env

1. 将此文件复制为.env

2. Replace placeholders with real values

2. 将占位符替换为真实值

3. Never commit .env to version control

3. 切勿将.env提交到版本控制系统

undefined

undefined

Step 4: Verify Cleanup

步骤4: 验证清理效果

Run scanner again to confirm secrets removed:

bash

python3 scripts/scan_secrets.py ./my-project

再次运行扫描器确认机密信息已移除:

bash

python3 scripts/scan_secrets.py ./my-project

Step 5: Safe Pack

步骤5: 安全打包

Once clean, package safely:

bash

python3 scripts/safe_pack.py ./my-project

确认无异常后，进行安全打包:

bash

python3 scripts/safe_pack.py ./my-project

Post-Exposure Actions

凭据泄露后的处理措施

If credentials were already exposed (e.g., committed to git, shared publicly):

Rotate credentials immediately - Generate new keys/tokens
Revoke old credentials - Disable compromised credentials
Audit usage - Check logs for unauthorized access
Monitor - Set up alerts for unusual activity
Update deployment - Deploy code with new credentials
Document incident - Record what was exposed and actions taken

如果凭据已泄露（例如提交到git、公开共享）:

立即轮换凭据 - 生成新的密钥/令牌
吊销旧凭据 - 禁用已泄露的凭据
审计使用情况 - 检查日志是否存在未授权访问
监控 - 设置异常活动警报
更新部署 - 使用新凭据部署代码
记录事件 - 记录泄露内容和采取的措施

Common False Positives

常见误报

The scanner skips common false positives:

Placeholders:

your-api-key

example-key

placeholder-value

```
<YOUR_API_KEY>
```
,
```
${API_KEY}
```
,
```
TODO: add key
```

Test/Example files:

Files matching
```
.*test.*
```
,
```
.*example.*
```
,
```
.*sample.*
```

Comments:

Lines starting with
```
//
```
,
```
#
```
,
```
/*
```
,
```
*
```

Environment variable references (correct usage):

```
process.env.API_KEY
```
```
import.meta.env.VITE_API_KEY
```
```
Deno.env.get('API_KEY')
```

Use

--exclude

to skip additional patterns if needed.

扫描器会跳过常见的误报情况:

占位符:

your-api-key

example-key

placeholder-value

```
<YOUR_API_KEY>
```
,
```
${API_KEY}
```
,
```
TODO: add key
```

测试/示例文件:

匹配
```
.*test.*
```
,
```
.*example.*
```
,
```
.*sample.*
```
的文件

注释:

以
```
//
```
,
```
#
```
,
```
/*
```
,
```
*
```
开头的行

环境变量引用（正确用法）:

```
process.env.API_KEY
```
```
import.meta.env.VITE_API_KEY
```
```
Deno.env.get('API_KEY')
```

如有需要，可使用

--exclude

参数跳过其他模式。

Integration with Repomix

与Repomix的集成

This skill works with standard repomix:

Default usage (no config):

bash

python3 scripts/safe_pack.py ./project

With repomix config:

bash

python3 scripts/safe_pack.py \
  ./project \
  --config repomix.config.json

Custom output location:

bash

python3 scripts/safe_pack.py \
  ./project \
  --output ~/Downloads/package-clean.xml

The skill runs repomix internally after security validation, passing through config and output options.

本技能可与标准repomix配合使用:

默认用法（无配置文件）:

bash

python3 scripts/safe_pack.py ./project

使用repomix配置文件:

bash

python3 scripts/safe_pack.py \
  ./project \
  --config repomix.config.json

自定义输出位置:

bash

python3 scripts/safe_pack.py \
  ./project \
  --output ~/Downloads/package-clean.xml

本技能会在安全验证通过后内部调用repomix，并传递配置文件和输出选项。

Example Workflows

示例工作流

Workflow 1: Package a Clean Project

工作流1: 打包无风险项目

bash

undefined

bash

undefined

Scan and pack in one command

一键完成扫描和打包

python3 scripts/safe_pack.py
~/workspace/my-project
--output ~/Downloads/my-project-package.xml

undefined

python3 scripts/safe_pack.py
~/workspace/my-project
--output ~/Downloads/my-project-package.xml

undefined

Workflow 2: Clean and Package a Project with Secrets

工作流2: 清理并打包存在机密信息的项目

bash

undefined

bash

undefined

Step 1: Scan to discover secrets

步骤1: 扫描以发现机密信息

python3 scripts/scan_secrets.py ~/workspace/my-project

Step 2: Review findings and replace credentials with env vars

步骤2: 检查检测结果，将凭据替换为环境变量

(Edit files manually or with automation)

(手动编辑文件或使用自动化工具)

Step 3: Verify cleanup

步骤3: 验证清理效果

python3 scripts/scan_secrets.py ~/workspace/my-project

Step 4: Package safely

步骤4: 安全打包

python3 scripts/safe_pack.py
~/workspace/my-project
--output ~/Downloads/my-project-clean.xml

undefined

python3 scripts/safe_pack.py
~/workspace/my-project
--output ~/Downloads/my-project-clean.xml

undefined

Workflow 3: Audit Before Commit

工作流3: 提交前审计

bash

undefined

bash

undefined

Pre-commit hook: scan for secrets

预提交钩子: 扫描机密信息

python3 scripts/scan_secrets.py . --json

Exit code 1 if secrets found (blocks commit)

若检测到机密信息则返回退出码1（阻止提交）

Exit code 0 if clean (allows commit)

若无异常则返回退出码0（允许提交）

undefined

undefined

Resources

资源

References:

```
references/common_secrets.md
```
- Complete credential pattern catalog

Scripts:

```
scripts/scan_secrets.py
```
- Standalone security scanner
```
scripts/safe_pack.py
```
- Complete scan → pack workflow

Related Skills:

```
repomix-unmixer
```
- Extracts files from repomix packages
```
skill-creator
```
- Creates new Claude Code skills

参考文档:

```
references/common_secrets.md
```
- 完整的凭据模式目录

脚本:

```
scripts/scan_secrets.py
```
- 独立安全扫描器
```
scripts/safe_pack.py
```
- 完整的扫描→打包工作流

相关技能:

```
repomix-unmixer
```
- 从repomix包中提取文件
```
skill-creator
```
- 创建新的Claude Code技能

Security Note

安全说明

This skill detects common patterns but may not catch all credential types. Always:

Review findings manually
Rotate exposed credentials
Use .env.example templates
Validate environment variables
Monitor for unauthorized access

Not a replacement for: Secret scanning in CI/CD, git history scanning, or comprehensive security audits.

本技能可检测常见模式，但可能无法覆盖所有凭据类型。请始终:

手动检查检测结果
轮换已泄露的凭据
使用.env.example模板
验证环境变量
监控未授权访问

不能替代：CI/CD中的机密扫描、git历史扫描或全面安全审计。