Skip to main content
Generalhashgraph-online

pii-scan

Scan content for PII and secrets before writing files, sending messages, or including sensitive data in responses. Use before and after any operation that handles potentially sensitive content.

Stars
336
Source
hashgraph-online/awesome-codex-plugins
Updated
2026-05-27
Slug
hashgraph-online--awesome-codex-plugins--pii-scan
View on GitHubRaw SKILL.md

// install — copy + paste into any project

mkdir -p .claude/skills && curl -fsSL https://raw.githubusercontent.com/hashgraph-online/awesome-codex-plugins/HEAD/plugins/getaxonflow/axonflow-codex-plugin/skills/pii-scan/SKILL.md -o .claude/skills/pii-scan.md

Drops the SKILL.md into .claude/skills/pii-scan.md. Works with Claude Code, Cursor, and any agent that loads SKILL.md files from .claude/skills/.

Before writing files or after tool calls that produce data, call the check_output MCP tool to scan for PII and secrets:

  • connector_type: codex.Write (for file writes), codex.Bash (for command output), or the appropriate tool type
  • message: the text content to scan — for file writes, scan the content being written

Before file writes: If the content being written contains PII (SSN, credit card, email, phone, etc.), check_output will return a redacted_message. Write the redacted version instead of the original, or warn the user that the content contains sensitive data.

After tool output: If tool output contains PII, use the redacted_message version in your response instead of the original.

If the response shows allowed: false, do not write the file or include the output in your response.

Note: For Bash/exec_command tool calls, PII scanning is handled automatically by the PostToolUse hook. This skill covers Write, Edit, and other non-Bash operations where hooks cannot intercept.