Skip to content

Commit 18beb3c

Browse files
haowu77claude
andcommitted
Improve discoverability: sync versions, expand keywords, boost SkillsMP score to A+
- Sync pyproject.toml and __init__.py to v0.3.3 - Expand PyPI keywords from 5 to 19 terms - Add PyPI classifiers (Image Recognition, Console) - Enhance root SKILL.md: add vector-search synonyms (anonymize, GDPR, DLP), numbered steps, conditional logic, constraints, anti-patterns section - Sync skills/privacy-mask/SKILL.md: add permissions, openclaw metadata, richer description, constraints section - Add references/ directory for supporting documentation - Declare hooks in SKILL.md metadata (auto-added by linter) - SkillsMP quality score: C (62/100) → A+ (90/100) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent 48416ea commit 18beb3c

6 files changed

Lines changed: 127 additions & 32 deletions

File tree

.clawhubignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
11
# Only publish SKILL.md + essential docs, exclude everything else
2+
.claude/
23
hooks/
34
scripts/
45
tests/

SKILL.md

Lines changed: 53 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,13 @@
11
---
22
name: privacy-mask
33
description: >-
4-
Mask and redact sensitive information (PII) in screenshots and images —
5-
phone numbers, emails, IDs, API keys, crypto wallets, credit cards,
6-
passwords, and more. Uses OCR (Tesseract + RapidOCR) with 47 regex rules
7-
and optional NER (GLiNER) to detect private data and applies blur/fill
8-
redaction overlays. All processing runs locally and offline — no data
9-
leaves your machine.
4+
Mask, redact, anonymize and censor sensitive information (PII) in
5+
screenshots and images — phone numbers, emails, IDs, API keys, crypto
6+
wallets, credit cards, passwords, and more. Uses OCR (Tesseract +
7+
RapidOCR) with 47 regex rules and optional NER (GLiNER) to detect private
8+
data and applies blur/fill redaction overlays. Supports GDPR and
9+
compliance workflows, secret detection, and data loss prevention (DLP).
10+
All processing runs 100% locally and offline — no data leaves your machine.
1011
version: 0.3.3
1112
license: MIT
1213
compatibility: Requires tesseract OCR, Python 3.10+, and pre-installed privacy-mask CLI.
@@ -33,6 +34,15 @@ metadata:
3334
as input, with _masked suffix, or user-specified path).
3435
scope: local
3536
optional: false
37+
hooks:
38+
- event: UserPromptSubmit
39+
description: >-
40+
Intercepts images in Claude's local image cache and applies
41+
privacy masking (blur/fill redaction) in-place before they are
42+
sent to the API. Runs entirely locally with no network calls.
43+
Requires the privacy-mask CLI to be installed.
44+
command: scripts/mask-images.sh
45+
timeout: 30000
3646
---
3747

3848
# Privacy Mask
@@ -42,22 +52,30 @@ Detect and mask sensitive information in images locally before they leave your m
4252
## Prerequisites
4353

4454
This skill requires the `privacy-mask` CLI to be pre-installed on the system.
45-
If it is not available, inform the user that they need to install it first.
55+
If it is not available, inform the user that they need to install it first:
56+
57+
1. Install via pip: `pip install privacy-mask`
58+
2. Ensure Tesseract OCR is installed: `brew install tesseract` (macOS) or `apt install tesseract-ocr` (Linux)
59+
3. Verify installation: `privacy-mask --version`
60+
4. (Optional) Install NER support: `pip install privacy-mask[ner]`
4661

4762
## When to use
4863

49-
- User sends a screenshot that may contain private data
50-
- User mentions privacy, masking, or redacting
64+
- User sends a screenshot or image file (`.png`, `.jpg`, `.jpeg`, `.bmp`, `.tiff`) that may contain private data
65+
- User mentions privacy, masking, redacting, or anonymizing
5166
- You need to analyze an image but want to redact sensitive info first
67+
- IF the user shares a screenshot for debugging, THEN run `privacy-mask mask <path> --dry-run` first to check for PII
68+
- IF detections are found, THEN mask the image before proceeding with analysis
5269

5370
## Usage
5471

5572
Mask an image:
5673
```bash
57-
privacy-mask mask <image_path>
58-
privacy-mask mask <image_path> --in-place
59-
privacy-mask mask <image_path> --dry-run # detect only
60-
privacy-mask mask <image_path> --detection-engine regex # use regex instead of NER
74+
privacy-mask mask /path/to/screenshot.png
75+
privacy-mask mask /path/to/screenshot.png --in-place
76+
privacy-mask mask /path/to/screenshot.png --dry-run # detect only, no masking
77+
privacy-mask mask /path/to/screenshot.png --detection-engine regex # regex only, skip NER
78+
privacy-mask mask /path/to/screenshot.png --config /path/to/custom-config.json
6179
```
6280

6381
Output is JSON:
@@ -69,6 +87,14 @@ Output is JSON:
6987
}
7088
```
7189

90+
### Example workflow
91+
92+
1. User provides a screenshot: `~/Desktop/error-screenshot.png`
93+
2. Run detection: `privacy-mask mask ~/Desktop/error-screenshot.png --dry-run`
94+
3. IF detections found, mask the image: `privacy-mask mask ~/Desktop/error-screenshot.png`
95+
4. The masked output is saved as `~/Desktop/error-screenshot_masked.png`
96+
5. Use the masked image for further analysis
97+
7298
## What it detects
7399

74100
- **IDs**: Chinese ID card, passport, HK/TW ID, US SSN, UK NINO, Canadian SIN, Indian Aadhaar/PAN, Korean RRN, Singapore NRIC, Malaysian IC
@@ -79,6 +105,20 @@ Output is JSON:
79105
- **Other**: Email, birthday, IP/IPv6, MAC, UUID, license plate, MRZ, URL auth tokens
80106
- **NER** (optional): Person names, street addresses, organizations, dates of birth, medical conditions
81107

108+
## Constraints
109+
110+
- Do NOT send unmasked images to any external API or cloud service
111+
- Do NOT skip masking when detections are found — always mask before sharing
112+
- Do NOT modify the original image unless `--in-place` is explicitly requested
113+
- Avoid running on very large images (>10MB) without warning the user about processing time
114+
115+
## Anti-patterns
116+
117+
- **Don't assume images are safe** — always run detection even if the image "looks clean"
118+
- **Don't use `--in-place` by default** — preserve the original unless the user asks otherwise
119+
- **Don't ignore dry-run results** — if `--dry-run` finds PII, the image must be masked before use
120+
- **Don't hardcode config paths** — use the bundled default or let the user specify `--config`
121+
82122
## Important
83123

84124
- All processing is **local and offline** — no data leaves the machine

mask_engine/__init__.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
"""Local Image Privacy Mask Engine."""
22

3-
__version__ = "0.3.2"
3+
__version__ = "0.3.3"
44

55
from .ocr import OcrResult, run_ocr
66
from .detector import Detection, detect_sensitive

pyproject.toml

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,22 +4,29 @@ build-backend = "setuptools.build_meta"
44

55
[project]
66
name = "privacy-mask"
7-
version = "0.3.2"
7+
version = "0.3.3"
88
description = "Local image privacy masking — detect and redact sensitive info (IDs, phones, keys, etc.) before images leave your machine."
99
readme = "README.md"
1010
license = {text = "MIT"}
1111
requires-python = ">=3.10"
1212
authors = [
1313
{name = "wuhao"},
1414
]
15-
keywords = ["privacy", "masking", "ocr", "sensitive-data", "claude-code"]
15+
keywords = [
16+
"privacy", "masking", "ocr", "sensitive-data", "claude-code",
17+
"pii", "redaction", "image-privacy", "screenshot", "data-protection",
18+
"tesseract", "ner", "gliner", "anonymize", "secret-detection",
19+
"api-key-detection", "gdpr", "compliance", "agent-skill",
20+
]
1621
classifiers = [
1722
"Development Status :: 4 - Beta",
1823
"Intended Audience :: Developers",
1924
"License :: OSI Approved :: MIT License",
2025
"Programming Language :: Python :: 3",
2126
"Topic :: Security",
2227
"Topic :: Multimedia :: Graphics",
28+
"Topic :: Scientific/Engineering :: Image Recognition",
29+
"Environment :: Console",
2330
]
2431
dependencies = [
2532
"Pillow>=10.0.0",

references/README.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
# References
2+
3+
- [Agent Skills Specification](https://agentskills.io) — SKILL.md format standard
4+
- [Tesseract OCR](https://github.com/tesseract-ocr/tesseract) — Primary OCR engine
5+
- [RapidOCR](https://github.com/RapidAI/RapidOCR) — Alternative OCR engine (ONNX-based)
6+
- [GLiNER](https://github.com/urchade/GLiNER) — Named Entity Recognition model for PII detection
7+
- [OWASP Data Protection](https://owasp.org/www-project-data-security/) — PII classification reference

skills/privacy-mask/SKILL.md

Lines changed: 56 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,46 @@
11
---
22
name: privacy-mask
3-
description: Mask sensitive information (phone numbers, emails, IDs, API keys, crypto wallets, etc.) in screenshots before analysis. Use when receiving screenshots that may contain private data, or when the user mentions privacy/masking/脱敏/打码.
3+
description: >-
4+
Mask, redact and anonymize sensitive information (PII) in screenshots and
5+
images — phone numbers, emails, IDs, API keys, crypto wallets, credit cards,
6+
passwords, and more. 100% local, 100% offline. Uses OCR with 47 regex rules
7+
and optional NER. Use when receiving screenshots that may contain private data,
8+
or when the user mentions privacy/masking/脱敏/打码.
49
version: 0.3.3
510
license: MIT
611
compatibility: Requires tesseract OCR, Python 3.10+, and pre-installed privacy-mask CLI.
712
metadata:
813
author: wuhao
14+
openclaw:
15+
requires:
16+
bins:
17+
- tesseract
18+
- python3
19+
- privacy-mask
20+
emoji: "\U0001F6E1"
21+
homepage: https://github.com/fullstackcrew-alpha/privacy-mask
22+
permissions:
23+
- id: local-file-read
24+
description: >-
25+
Reads image files provided by the user to perform OCR-based
26+
sensitive information detection. No files are copied or transmitted.
27+
scope: local
28+
optional: false
29+
- id: local-file-write
30+
description: >-
31+
Writes masked output images to the local filesystem (same directory
32+
as input, with _masked suffix, or user-specified path).
33+
scope: local
34+
optional: false
35+
hooks:
36+
- event: UserPromptSubmit
37+
description: >-
38+
Intercepts images in Claude's local image cache and applies
39+
privacy masking (blur/fill redaction) in-place before they are
40+
sent to the API. Runs entirely locally with no network calls.
41+
Requires the privacy-mask CLI to be installed.
42+
command: scripts/mask-images.sh
43+
timeout: 30000
944
---
1045

1146
# Privacy Mask
@@ -15,31 +50,30 @@ Detect and mask sensitive information in images locally before they leave your m
1550
## Prerequisites
1651

1752
This skill requires the `privacy-mask` CLI to be pre-installed on the system.
18-
If it is not available, inform the user that they need to install it first.
53+
If it is not available, inform the user that they need to install it first:
54+
55+
1. Install via pip: `pip install privacy-mask`
56+
2. Ensure Tesseract OCR is installed: `brew install tesseract` (macOS) or `apt install tesseract-ocr` (Linux)
57+
3. Set up the Claude Code hook: `privacy-mask install`
58+
4. Verify: `privacy-mask --version`
59+
60+
After install, all images are automatically masked before upload. No further action needed.
1961

2062
## When to use
2163

22-
- User sends a screenshot that may contain private data
64+
- User sends a screenshot or image file (`.png`, `.jpg`, `.jpeg`, `.bmp`, `.tiff`) that may contain private data
2365
- User mentions privacy, masking, 脱敏, or 打码
2466
- You need to analyze an image but want to redact sensitive info first
25-
26-
## Quick start
27-
28-
```bash
29-
pip install privacy-mask
30-
privacy-mask install # one-time: sets up global Claude Code hook
31-
```
32-
33-
After install, all images are automatically masked before upload. No further action needed.
67+
- IF the user shares a screenshot for debugging, THEN run `privacy-mask mask <path> --dry-run` first to check for PII
3468

3569
## Manual usage
3670

3771
Mask an image:
3872
```bash
39-
privacy-mask mask <image_path>
40-
privacy-mask mask <image_path> --in-place
41-
privacy-mask mask <image_path> --dry-run # detect only
42-
privacy-mask mask <image_path> --detection-engine regex # use regex instead of NER
73+
privacy-mask mask /path/to/screenshot.png
74+
privacy-mask mask /path/to/screenshot.png --in-place
75+
privacy-mask mask /path/to/screenshot.png --dry-run # detect only
76+
privacy-mask mask /path/to/screenshot.png --detection-engine regex # regex only, skip NER
4377
```
4478

4579
Output is JSON:
@@ -61,6 +95,12 @@ Output is JSON:
6195
- **Other**: Email, birthday, IP/IPv6, MAC, UUID, license plate, MRZ, URL auth tokens
6296
- **NER** (optional): Person names, street addresses, organizations, dates of birth, medical conditions
6397

98+
## Constraints
99+
100+
- Do NOT send unmasked images to any external API or cloud service
101+
- Do NOT skip masking when detections are found
102+
- Do NOT modify the original image unless `--in-place` is explicitly requested
103+
64104
## Important
65105

66106
- All processing is **local and offline** — no data leaves the machine

0 commit comments

Comments
 (0)