How do I install repomix-safe-mixer?

Run `npx skills add https://github.com/daymade/claude-code-skills --skill repomix-safe-mixer` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does repomix-safe-mixer support?

repomix-safe-mixer works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is repomix-safe-mixer free to use?

Yes. repomix-safe-mixer is free to install and use. It is available from the open explainx.ai skill registry published by daymade.

Where can I read ratings and reviews for repomix-safe-mixer?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

Productivity

repomix-safe-mixer▌

daymade/claude-code-skills · updated Apr 8, 2026

$npx skills add https://github.com/daymade/claude-code-skills --skill repomix-safe-mixer

0 commentsdiscussion

summary

Safely package codebases with repomix by automatically detecting and removing hardcoded credentials.

skill.md

Repomix Safe Mixer

Overview

Safely package codebases with repomix by automatically detecting and removing hardcoded credentials.

This skill prevents accidental credential exposure when packaging code with repomix. It scans for hardcoded secrets (API keys, database credentials, tokens), reports findings, and ensures safe packaging.

When to use: When packaging code with repomix for distribution, creating shareable reference packages, or whenever security concerns exist about hardcoded credentials in code.

Core Workflow

Standard Safe Packaging

Use safe_pack.py from this skill's scripts/ directory for the complete workflow: scan → report → pack.

python3 scripts/safe_pack.py <directory>

What it does:

Scans directory for hardcoded credentials
Reports findings with file/line details
Blocks packaging if secrets found
Packs with repomix only if scan is clean

Example:

python3 scripts/safe_pack.py ./my-project

Output if clean:

🔍 Scanning ./my-project for hardcoded secrets...
✅ No secrets detected!
📦 Packing ./my-project with repomix...
✅ Packaging complete!
   Package is safe to distribute.

Output if secrets found:

🔍 Scanning ./my-project for hardcoded secrets...
⚠️  Security Scan Found 3 Potential Secrets:

🔴 supabase_url: 1 instance(s)
   - src/client.ts:5
     Match: https://ghyttjckzmzdxumxcixe.supabase.co

❌ Cannot pack: Secrets detected!

Options

Custom output file:

python3 scripts/safe_pack.py \
  ./my-project \
  --output package.xml

With repomix config:

python3 scripts/safe_pack.py \
  ./my-project \
  --config repomix.config.json

Exclude patterns from scanning:

python3 scripts/safe_pack.py \
  ./my-project \
  --exclude '.*test.*' '.*\.example'

Force pack (dangerous, skip scan):

python3 scripts/safe_pack.py \
  ./my-project \
  --force  # ⚠️ NOT RECOMMENDED

Standalone Secret Scanning

Use scan_secrets.py from this skill's scripts/ directory for scanning only (without packing).

python3 scripts/scan_secrets.py <directory>

Use cases:

Verify cleanup after removing credentials
Pre-commit security checks
Audit existing codebases

Example:

python3 scripts/scan_secrets.py ./my-project

JSON output for programmatic use:

python3 scripts/scan_secrets.py \
  ./my-project \
  --json

Exclude patterns:

python3 scripts/scan_secrets.py \
  ./my-project \
  --exclude '.*test.*' '.*example.*' '.*SECURITY_AUDIT\.md'

Detected Secret Types

The scanner detects common credential patterns including:

Cloud Providers:

AWS Access Keys (AKIA...)
Cloudflare R2 Account IDs and Access Keys
Supabase Project URLs and Anon Keys

API Keys:

Stripe Keys (sk_live_..., pk_live_...)
OpenAI API Keys (sk-...)
Google Gemini API Keys (AIza...)
Generic API Keys

Authentication:

JWT Tokens (eyJ...)
OAuth Client Secrets
Private Keys (-----BEGIN PRIVATE KEY-----)
Turnstile Keys (0x...)

See references/common_secrets.md for complete list and patterns.

Handling Detected Secrets

When secrets are found:

Step 1: Review Findings

Examine each finding to verify it's a real credential (not a placeholder or example).

Step 2: Replace with Environment Variables

Before:

const SUPABASE_URL = "https://ghyttjckzmzdxumxcixe.supabase.co";
const API_KEY = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...";

After:

const SUPABASE_URL = import.meta.env.VITE_SUPABASE_URL || "https://your-project-ref.supabase.co";
const API_KEY = import.meta.env.VITE_API_KEY || "your-api-key-here";

// Validation
if (!import.meta.env.VITE_SUPABASE_URL) {
  console.error("⚠️ Missing VITE_SUPABASE_URL environment variable");
}

Step 3: Create .env.example

# Example environment variables
VITE_SUPABASE_URL=https://your-project-ref.supabase.co
VITE_API_KEY=your-api-key-here

# Instructions:
# 1. Copy this file to .env
# 2. Replace placeholders with real values
# 3. Never commit .env to version control

Step 4: Verify Cleanup

Run scanner again to confirm secrets removed:

python3 scripts/scan_secrets.py ./my-project

Step 5: Safe Pack

Once clean, package safely:

python3 scripts/safe_pack.py ./my-project

Post-Exposure Actions

If credentials were already exposed (e.g., committed to git, shared publicly):

Rotate credentials immediately - Generate new keys/tokens
Revoke old credentials - Disable compromised credentials
Audit usage - Check logs for unauthorized access
Monitor - Set up alerts for unusual activity
Update deployment - Deploy code with new credentials
Document incident - Record what was exposed and actions taken

Common False Positives

The scanner skips common false positives:

Placeholders:

your-api-key, example-key, placeholder-value
<YOUR_API_KEY>, ${API_KEY}, TODO: add key

Test/Example files:

Files matching .*test.*, .*example.*, .*sample.*

Comments:

Lines starting with //, #, /*, *

Environment variable references (correct usage):

process.env.API_KEY
import.meta.env.VITE_API_KEY
Deno.env.get('API_KEY')

Use --exclude to skip additional patterns if needed.

Integration with Repomix

This skill works with standard repomix:

Default usage (no config):

python3 scripts/safe_pack.py ./project

With repomix config:

python3 scripts/safe_pack.py \
  ./project \
  --config repomix.config.json

Custom output location:

python3 scripts/safe_pack.py \
  ./project \
  --output ~/Downloads/package-clean.xml

The skill runs repomix internally after security validation, passing through config and output options.

Example Workflows

Workflow 1: Package a Clean Project

# Scan and pack in one command
python3 scripts/safe_pack.py \
  ~/workspace/my-project \
  --output ~/Downloads/my-project-package.xml

Workflow 2: Clean and Package a Project with Secrets

# Step 1: Scan to discover secrets
python3 scripts/scan_secrets.py ~/workspace/my-project

# Step 2: Review findings and replace credentials with env vars
# (Edit files manually or with automation)

# Step 3: Verify cleanup
python3 scripts/scan_secrets.py ~/workspace/my-project

# Step 4: Package safely
python3 scripts/safe_pack.py \
  ~/workspace/my-project \
  --output ~/Downloads/my-project-clean.xml

Workflow 3: Audit Before Commit

# Pre-commit hook: scan for secrets
python3 scripts/scan_secrets.py . --json

# Exit code 1 if secrets found (blocks commit)
# Exit code 0 if clean (allows commit)

Resources

References:

references/common_secrets.md - Complete credential pattern catalog

Scripts:

scripts/scan_secrets.py - Standalone security scanner
scripts/safe_pack.py - Complete scan → pack workflow

Related Skills:

repomix-unmixer - Extracts files from repomix packages
skill-creator - Creates new Claude Code skills

Security Note

This skill detects common patterns but may not catch all credential types. Always:

Review findings manually
Rotate exposed credentials
Use .env.example templates
Validate environment variables
Monitor for unauthorized access

Not a replacement for: Secret scanning in CI/CD, git history scanning, or comprehensive security audits.

Discussion

Product Hunt–style comments (not star reviews)

No comments yet — start the thread.

general reviews

Ratings

4.5★★★★★64 reviews

★★★★★Hassan Iyer· Dec 28, 2024
repomix-safe-mixer has been reliable in day-to-day use. Documentation quality is above average for community skills.
★★★★★Layla Gill· Dec 12, 2024
repomix-safe-mixer reduced setup friction for our internal harness; good balance of opinion and flexibility.
★★★★★Chaitanya Patil· Dec 4, 2024
Keeps context tight: repomix-safe-mixer is the kind of skill you can hand to a new teammate without a long onboarding doc.
★★★★★Piyush G· Nov 23, 2024
repomix-safe-mixer has been reliable in day-to-day use. Documentation quality is above average for community skills.
★★★★★Aisha Flores· Nov 19, 2024
Keeps context tight: repomix-safe-mixer is the kind of skill you can hand to a new teammate without a long onboarding doc.
★★★★★Isabella Anderson· Nov 15, 2024
repomix-safe-mixer fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
★★★★★Layla Bansal· Nov 3, 2024
I recommend repomix-safe-mixer for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
★★★★★Sakura Torres· Oct 22, 2024
Useful defaults in repomix-safe-mixer — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
★★★★★Shikha Mishra· Oct 14, 2024
Solid pick for teams standardizing on skills: repomix-safe-mixer is focused, and the summary matches what you get after install.
★★★★★Evelyn Verma· Oct 10, 2024
repomix-safe-mixer is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.

showing 1-10 of 64

1 / 7