11---
22name : privacy-mask
33description : >-
4- Mask and redact sensitive information (PII) in screenshots and images —
5- phone numbers, emails, IDs, API keys, crypto wallets, credit cards,
6- passwords, and more. Uses OCR (Tesseract + RapidOCR) with 47 regex rules
7- and optional NER (GLiNER) to detect private data and applies blur/fill
8- redaction overlays. All processing runs locally and offline — no data
9- leaves your machine.
4+ Mask, redact, anonymize and censor sensitive information (PII) in
5+ screenshots and images — phone numbers, emails, IDs, API keys, crypto
6+ wallets, credit cards, passwords, and more. Uses OCR (Tesseract +
7+ RapidOCR) with 47 regex rules and optional NER (GLiNER) to detect private
8+ data and applies blur/fill redaction overlays. Supports GDPR and
9+ compliance workflows, secret detection, and data loss prevention (DLP).
10+ All processing runs 100% locally and offline — no data leaves your machine.
1011version : 0.3.3
1112license : MIT
1213compatibility : Requires tesseract OCR, Python 3.10+, and pre-installed privacy-mask CLI.
@@ -33,6 +34,15 @@ metadata:
3334 as input, with _masked suffix, or user-specified path).
3435 scope : local
3536 optional : false
37+ hooks :
38+ - event : UserPromptSubmit
39+ description : >-
40+ Intercepts images in Claude's local image cache and applies
41+ privacy masking (blur/fill redaction) in-place before they are
42+ sent to the API. Runs entirely locally with no network calls.
43+ Requires the privacy-mask CLI to be installed.
44+ command : scripts/mask-images.sh
45+ timeout : 30000
3646---
3747
3848# Privacy Mask
@@ -42,22 +52,30 @@ Detect and mask sensitive information in images locally before they leave your m
4252## Prerequisites
4353
4454This skill requires the ` privacy-mask ` CLI to be pre-installed on the system.
45- If it is not available, inform the user that they need to install it first.
55+ If it is not available, inform the user that they need to install it first:
56+
57+ 1 . Install via pip: ` pip install privacy-mask `
58+ 2 . Ensure Tesseract OCR is installed: ` brew install tesseract ` (macOS) or ` apt install tesseract-ocr ` (Linux)
59+ 3 . Verify installation: ` privacy-mask --version `
60+ 4 . (Optional) Install NER support: ` pip install privacy-mask[ner] `
4661
4762## When to use
4863
49- - User sends a screenshot that may contain private data
50- - User mentions privacy, masking, or redacting
64+ - User sends a screenshot or image file ( ` .png ` , ` .jpg ` , ` .jpeg ` , ` .bmp ` , ` .tiff ` ) that may contain private data
65+ - User mentions privacy, masking, redacting, or anonymizing
5166- You need to analyze an image but want to redact sensitive info first
67+ - IF the user shares a screenshot for debugging, THEN run ` privacy-mask mask <path> --dry-run ` first to check for PII
68+ - IF detections are found, THEN mask the image before proceeding with analysis
5269
5370## Usage
5471
5572Mask an image:
5673``` bash
57- privacy-mask mask < image_path>
58- privacy-mask mask < image_path> --in-place
59- privacy-mask mask < image_path> --dry-run # detect only
60- privacy-mask mask < image_path> --detection-engine regex # use regex instead of NER
74+ privacy-mask mask /path/to/screenshot.png
75+ privacy-mask mask /path/to/screenshot.png --in-place
76+ privacy-mask mask /path/to/screenshot.png --dry-run # detect only, no masking
77+ privacy-mask mask /path/to/screenshot.png --detection-engine regex # regex only, skip NER
78+ privacy-mask mask /path/to/screenshot.png --config /path/to/custom-config.json
6179```
6280
6381Output is JSON:
@@ -69,6 +87,14 @@ Output is JSON:
6987}
7088```
7189
90+ ### Example workflow
91+
92+ 1 . User provides a screenshot: ` ~/Desktop/error-screenshot.png `
93+ 2 . Run detection: ` privacy-mask mask ~/Desktop/error-screenshot.png --dry-run `
94+ 3 . IF detections found, mask the image: ` privacy-mask mask ~/Desktop/error-screenshot.png `
95+ 4 . The masked output is saved as ` ~/Desktop/error-screenshot_masked.png `
96+ 5 . Use the masked image for further analysis
97+
7298## What it detects
7399
74100- ** IDs** : Chinese ID card, passport, HK/TW ID, US SSN, UK NINO, Canadian SIN, Indian Aadhaar/PAN, Korean RRN, Singapore NRIC, Malaysian IC
@@ -79,6 +105,20 @@ Output is JSON:
79105- ** Other** : Email, birthday, IP/IPv6, MAC, UUID, license plate, MRZ, URL auth tokens
80106- ** NER** (optional): Person names, street addresses, organizations, dates of birth, medical conditions
81107
108+ ## Constraints
109+
110+ - Do NOT send unmasked images to any external API or cloud service
111+ - Do NOT skip masking when detections are found — always mask before sharing
112+ - Do NOT modify the original image unless ` --in-place ` is explicitly requested
113+ - Avoid running on very large images (>10MB) without warning the user about processing time
114+
115+ ## Anti-patterns
116+
117+ - ** Don't assume images are safe** — always run detection even if the image "looks clean"
118+ - ** Don't use ` --in-place ` by default** — preserve the original unless the user asks otherwise
119+ - ** Don't ignore dry-run results** — if ` --dry-run ` finds PII, the image must be masked before use
120+ - ** Don't hardcode config paths** — use the bundled default or let the user specify ` --config `
121+
82122## Important
83123
84124- All processing is ** local and offline** — no data leaves the machine
0 commit comments