11---
22name : privacy-mask
33description : >-
4- Mask and redact sensitive information (PII) in screenshots and images before
5- analysis — phone numbers, emails, IDs, API keys, crypto wallets, credit cards,
6- passwords, and more. Uses OCR (Tesseract + RapidOCR) and optional NER (GLiNER)
7- to detect private data and applies redaction overlays. One-time setup requires
8- pip install (network) and global hook registration; after that, all image
9- processing is fully local and offline — no data leaves your machine. Use when
10- receiving screenshots that may contain private data, or when the user mentions
11- privacy / masking / redacting / PII removal / sensitive data protection.
12- version : 0.3.0
4+ Mask and redact sensitive information (PII) in screenshots and images —
5+ phone numbers, emails, IDs, API keys, crypto wallets, credit cards,
6+ passwords, and more. Uses OCR (Tesseract + RapidOCR) with 47 regex rules
7+ and optional NER (GLiNER) to detect private data and applies blur/fill
8+ redaction overlays. All processing runs locally and offline — no data
9+ leaves your machine.
10+ version : 0.3.1
1311license : MIT
14- compatibility : Requires tesseract OCR and Python 3.10+. One-time pip install requires network; all subsequent image processing is local and offline .
12+ compatibility : Requires tesseract OCR, Python 3.10+, and pre-installed privacy-mask CLI .
1513metadata :
1614 author : wuhao
1715 openclaw :
1816 requires :
1917 bins :
2018 - tesseract
2119 - python3
20+ - privacy-mask
2221 emoji : " \U0001F6E1 "
2322 homepage : https://github.com/fullstackcrew-alpha/privacy-mask
2423 permissions :
25- - id : pip-install
24+ - id : local-file-read
2625 description : >-
27- One-time: runs "pip install privacy-mask" to install the CLI tool and
28- its dependencies (Pillow, pytesseract, rapidocr-onnxruntime) from PyPI.
29- This is the only step that requires network access.
30- scope : global
31- optional : false
32- - id : global-hook-install
33- description : >-
34- One-time: runs "privacy-mask install" to register a UserPromptSubmit
35- hook in ~/.claude/settings.json. The hook script is bundled in the
36- package at mask_engine/data/hook.sh — no remote code is fetched.
37- scope : global
38- optional : false
39- - id : image-cache-read
40- description : >-
41- At runtime, the hook reads images from ~/.claude/image-cache/ to
42- perform local OCR-based detection before the image is sent to the API.
43- Images are processed in-place; no copies are made or transmitted.
26+ Reads image files provided by the user to perform OCR-based
27+ sensitive information detection. No files are copied or transmitted.
4428 scope : local
4529 optional : false
46- - id : agent-behavior-modify
30+ - id : local-file-write
4731 description : >-
48- The hook masks (blurs) detected sensitive regions in images before
49- upload, ensuring PII never leaves the machine. This modifies the
50- image content that the agent sends to the API.
32+ Writes masked output images to the local filesystem (same directory
33+ as input, with _masked suffix, or user-specified path).
5134 scope : local
5235 optional : false
5336---
@@ -56,28 +39,28 @@ metadata:
5639
5740Detect and mask sensitive information in images locally before they leave your machine.
5841
59- ## When to use
60-
61- - User sends a screenshot that may contain private data
62- - User mentions privacy, masking, or redacting
63- - You need to analyze an image but want to redact sensitive info first
42+ ## Prerequisites
6443
65- ## Quick start
44+ The ` privacy-mask ` CLI must be installed before using this skill:
6645
67- ``` bash
46+ ```
6847pip install privacy-mask
69- privacy-mask install # one-time: sets up global Claude Code hook
7048```
7149
72- After install, all images are automatically masked before upload. No further action needed.
50+ ## When to use
51+
52+ - User sends a screenshot that may contain private data
53+ - User mentions privacy, masking, or redacting
54+ - You need to analyze an image but want to redact sensitive info first
7355
74- ## Manual usage
56+ ## Usage
7557
7658Mask an image:
7759``` bash
7860privacy-mask mask < image_path>
7961privacy-mask mask < image_path> --in-place
8062privacy-mask mask < image_path> --dry-run # detect only
63+ privacy-mask mask < image_path> --detection-engine regex # use regex instead of NER
8164```
8265
8366Output is JSON:
@@ -89,17 +72,17 @@ Output is JSON:
8972}
9073```
9174
92- ## What it detects (47 rules)
75+ ## What it detects
9376
9477- ** IDs** : Chinese ID card, passport, HK/TW ID, US SSN, UK NINO, Canadian SIN, Indian Aadhaar/PAN, Korean RRN, Singapore NRIC, Malaysian IC
9578- ** Phone** : Chinese mobile/landline, US phone, international (+prefix)
9679- ** Financial** : Bank card, Amex, IBAN, SWIFT/BIC
9780- ** Developer keys** : AWS, GitHub, Slack, Google, Stripe tokens, JWT, connection strings, API keys, SSH/PEM keys
9881- ** Crypto** : Bitcoin, Ethereum wallet addresses
9982- ** Other** : Email, birthday, IP/IPv6, MAC, UUID, license plate, MRZ, URL auth tokens
83+ - ** NER** (optional): Person names, street addresses, organizations, dates of birth, medical conditions
10084
10185## Important
10286
10387- All processing is ** local and offline** — no data leaves the machine
104- - The hook intercepts images ** before** upload to cloud API
10588- Configure rules in the bundled ` config.json ` or pass ` --config ` for custom rules
0 commit comments