repomix-safe-mixer
Safely package codebases with repomix by automatically detecting and removing hardcoded credentials before packing. Use when packaging code for distribution, creating reference packages, or when the user mentions security concerns about sharing code with repomix.
88
83%
Does it follow best practices?
Impact
96%
1.81xAverage score across 3 eval scenarios
Risky
Do not use without reviewing
Quality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid description that clearly identifies its niche (repomix-based code packaging with credential safety), includes an explicit 'Use when' clause with good trigger terms, and is highly distinctive. The main weakness is that the capability description could be slightly more specific about the concrete actions performed beyond detecting/removing credentials.
Suggestions
Add more specific concrete actions to improve specificity, e.g., 'scans for API keys, tokens, and passwords; generates sanitized archives; supports configurable ignore patterns.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (packaging codebases with repomix) and some actions (detecting and removing hardcoded credentials, packing), but doesn't list multiple concrete actions comprehensively—e.g., what formats, what types of credentials, what output is produced. | 2 / 3 |
Completeness | Clearly answers both 'what' (safely package codebases with repomix by detecting and removing hardcoded credentials) and 'when' (explicit 'Use when' clause covering packaging for distribution, creating reference packages, or security concerns about sharing code). | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms: 'repomix', 'packaging code', 'distribution', 'reference packages', 'security concerns', 'sharing code', 'hardcoded credentials'. These cover terms users would naturally use when needing this skill. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive due to the specific tool name 'repomix' and the niche combination of code packaging with credential removal. Unlikely to conflict with generic code packaging or generic security scanning skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, actionable skill with clear workflows and good validation checkpoints. Its main weakness is length — several sections repeat information or cover topics Claude already understands (post-exposure incident response, what false positives are), inflating the token cost. Moving detailed reference material (false positives, detected secret types, post-exposure actions) to separate files would improve both conciseness and progressive disclosure.
Suggestions
Move 'Detected Secret Types', 'Common False Positives', and 'Post-Exposure Actions' sections to reference files (e.g., references/common_secrets.md, references/false_positives.md) and link to them from the main skill, reducing the body by ~40%.
Remove the 'Integration with Repomix' section as it duplicates the 'Options' section almost entirely.
Trim the overview paragraph — the title and 'When to use' line already convey the purpose; the middle paragraph is redundant.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably well-structured but includes some unnecessary verbosity. The 'Post-Exposure Actions' section and 'Common False Positives' section explain concepts Claude already knows. The 'Integration with Repomix' section largely repeats information from the 'Options' section. The overview paragraph restates the title. Several sections could be tightened significantly. | 2 / 3 |
Actionability | The skill provides fully executable commands with concrete examples, specific flags, and realistic output samples. The before/after code transformation example for replacing secrets with environment variables is copy-paste ready, and all CLI invocations are complete with real arguments. | 3 / 3 |
Workflow Clarity | The core workflow is clearly sequenced (scan → report → block/pack) with explicit validation checkpoints. The 'Handling Detected Secrets' section has a clear 5-step process with a verify-then-proceed feedback loop. Workflow 2 demonstrates the full remediation cycle with re-scanning before packaging. | 3 / 3 |
Progressive Disclosure | The skill references `references/common_secrets.md` and scripts appropriately, but the main document is quite long (~200+ lines) with sections like 'Post-Exposure Actions', 'Common False Positives', and 'Integration with Repomix' that could be moved to reference files. The 'Example Workflows' section partially duplicates earlier content. No bundle files were provided to verify referenced paths exist. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- daymade/claude-code-skills
- Commit
bbf87f3
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.