Safely package codebases with repomix by automatically detecting and removing hardcoded credentials.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionrepomix-safe-mixerExecute the skills CLI command in your project's root directory to begin installation:
Fetches repomix-safe-mixer from daymade/claude-code-skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate repomix-safe-mixer. Access via /repomix-safe-mixer in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Create detailed user stories, acceptance criteria, and feature specs
Example
Generate user stories for 'password reset feature' with acceptance criteria, edge cases, and test scenarios
Reduce spec writing time by 50%, ensure comprehensive coverage
Research competitors, compare features, identify gaps
Example
Analyze 5 competitor products, create feature comparison matrix, suggest differentiation opportunities
Complete competitive research in 2 hours instead of 2 days
Evaluate features using frameworks (RICE, ICE, Kano) and create prioritized backlogs
Example
Score 20 feature ideas using RICE framework, generate prioritized roadmap with rationale
1
total installs
1
this week
784
GitHub stars
0
upvotes
Run in your terminal
1
installs
1
this week
784
stars
Safely package codebases with repomix by automatically detecting and removing hardcoded credentials.
This skill prevents accidental credential exposure when packaging code with repomix. It scans for hardcoded secrets (API keys, database credentials, tokens), reports findings, and ensures safe packaging.
When to use: When packaging code with repomix for distribution, creating shareable reference packages, or whenever security concerns exist about hardcoded credentials in code.
Use safe_pack.py from this skill's scripts/ directory for the complete workflow: scan → report → pack.
python3 scripts/safe_pack.py <directory>
What it does:
Example:
python3 scripts/safe_pack.py ./my-project
Output if clean:
🔍 Scanning ./my-project for hardcoded secrets...
✅ No secrets detected!
📦 Packing ./my-project with repomix...
✅ Packaging complete!
Package is safe to distribute.
Output if secrets found:
🔍 Scanning ./my-project for hardcoded secrets...
⚠️ Security Scan Found 3 Potential Secrets:
🔴 supabase_url: 1 instance(s)
- src/client.ts:5
Match: https://ghyttjckzmzdxumxcixe.supabase.co
❌ Cannot pack: Secrets detected!
Custom output file:
python3 scripts/safe_pack.py \
./my-project \
--output package.xml
With repomix config:
python3 scripts/safe_pack.py \
./my-project \
--config repomix.config.json
Exclude patterns from scanning:
python3 scripts/safe_pack.py \
./my-project \
--exclude '.*test.*' '.*\.example'
Force pack (dangerous, skip scan):
python3 scripts/safe_pack.py \
./my-project \
--force # ⚠️ NOT RECOMMENDED
Use scan_secrets.py from this skill's scripts/ directory for scanning only (without packing).
python3 scripts/scan_secrets.py <directory>
Use cases:
Example:
python3 scripts/scan_secrets.py ./my-project
JSON output for programmatic use:
python3 scripts/scan_secrets.py \
./my-project \
--json
Exclude patterns:
python3 scripts/scan_secrets.py \
./my-project \
--exclude '.*test.*' '.*example.*' '.*SECURITY_AUDIT\.md'
The scanner detects common credential patterns including:
Cloud Providers:
AKIA...)API Keys:
sk_live_..., pk_live_...)sk-...)AIza...)Authentication:
eyJ...)-----BEGIN PRIVATE KEY-----)0x...)See references/common_secrets.md for complete list and patterns.
When secrets are found:
Examine each finding to verify it's a real credential (not a placeholder or example).
Before:
const SUPABASE_URL = "https://ghyttjckzmzdxumxcixe.supabase.co";
const API_KEY = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...";
After:
const SUPABASE_URL = import.meta.env.VITE_SUPABASE_URL || "https://your-project-ref.supabase.co";
const API_KEY = import.meta.env.VITE_API_KEY || "your-api-key-here";
// Validation
if (!import.meta.env.VITE_SUPABASE_URL) {
console.error("⚠️ Missing VITE_SUPABASE_URL environment variable");
}
# Example environment variables
VITE_SUPABASE_URL=https://your-project-ref.supabase.co
VITE_API_KEY=your-api-key-here
# Instructions:
# 1. Copy this file to .env
# 2. Replace placeholders with real values
# 3. Never commit .env to version control
Run scanner again to confirm secrets removed:
python3 scripts/scan_secrets.py ./my-project
Once clean, package safely:
python3 scripts/safe_pack.py ./my-project
If credentials were already exposed (e.g., committed to git, shared publicly):
The scanner skips common false positives:
Placeholders:
your-api-key, example-key, placeholder-value<YOUR_API_KEY>, ${API_KEY}, TODO: add keyTest/Example files:
.*test.*, .*example.*, .*sample.*Comments:
//, #, /*, *Environment variable references (correct usage):
process.env.API_KEYimport.meta.env.VITE_API_KEYDeno.env.get('API_KEY')Use --exclude to skip additional patterns if needed.
This skill works with standard repomix:
Default usage (no config):
python3 scripts/safe_pack.py ./project
With repomix config:
python3 scripts/safe_pack.py \
./project \
--config repomix.config.json
Custom output location:
python3 scripts/safe_pack.py \
./project \
--output ~/Downloads/package-clean.xml
The skill runs repomix internally after security validation, passing through config and output options.
# Scan and pack in one command
python3 scripts/safe_pack.py \
~/workspace/my-project \
--output ~/Downloads/my-project-package.xml
# Step 1: Scan to discover secrets
python3 scripts/scan_secrets.py ~/workspace/my-project
# Step 2: Review findings and replace credentials with env vars
# (Edit files manually or with automation)
# Step 3: Verify cleanup
python3 scripts/scan_secrets.py ~/workspace/my-project
# Step 4: Package safely
python3 scripts/safe_pack.py \
~/workspace/my-project \
--output ~/Downloads/my-project-clean.xml
# Pre-commit hook: scan for secrets
python3 scripts/scan_secrets.py . --json
# Exit code 1 if secrets found (blocks commit)
# Exit code 0 if clean (allows commit)
References:
references/common_secrets.md - Complete credential pattern catalogScripts:
scripts/scan_secrets.py - Standalone security scannerscripts/safe_pack.py - Complete scan → pack workflowRelated Skills:
repomix-unmixer - Extracts files from repomix packagesskill-creator - Creates new Claude Code skillsThis skill detects common patterns but may not catch all credential types. Always:
Not a replacement for: Secret scanning in CI/CD, git history scanning, or comprehensive security audits.
Make data-driven prioritization decisions faster
Draft PRDs, status updates, and stakeholder presentations
Example
Create executive summary of Q3 roadmap, monthly progress report, feature launch announcement
Save 3-5 hours/week on communication overhead
Prerequisites
Time Estimate
30-60 minutes to see productivity improvements
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use for user story writing, competitive research, roadmap prioritization, stakeholder communication, and PRD drafting. Best for reducing repetitive documentation and research work.
✗ Avoid when
Avoid for strategic product vision (requires deep customer empathy), pricing decisions (needs market and financial expertise), or when face-to-face customer discovery is more valuable than speed.
mattpocock/skills
parcadei/continuous-claude-v3
cursor/plugins
ailabs-393/ai-labs-claude-skills
pproenca/dot-skills
mattpocock/skills
repomix-safe-mixer has been reliable in day-to-day use. Documentation quality is above average for community skills.
repomix-safe-mixer reduced setup friction for our internal harness; good balance of opinion and flexibility.
Keeps context tight: repomix-safe-mixer is the kind of skill you can hand to a new teammate without a long onboarding doc.
repomix-safe-mixer has been reliable in day-to-day use. Documentation quality is above average for community skills.
Keeps context tight: repomix-safe-mixer is the kind of skill you can hand to a new teammate without a long onboarding doc.
repomix-safe-mixer fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
I recommend repomix-safe-mixer for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Useful defaults in repomix-safe-mixer — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
Solid pick for teams standardizing on skills: repomix-safe-mixer is focused, and the summary matches what you get after install.
repomix-safe-mixer is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
showing 1-10 of 64