Is this tool useful for regulatory compliance?

Yes, by identifying unencrypted PII and cleartext transmission of sensitive data, it helps developers meet standards for GDPR, HIPAA, and SOC2 confidentiality requirements.

How does it handle API response data?

The skill inspects serializers, ORM models, and controllers to find instances where full database objects are returned instead of explicitly filtered public fields.

Does it check production configurations?

Yes, it analyzes environment settings (like NODE_ENV or DEBUG flags) to ensure that development-only features like verbose error reporting are disabled for production.

Can this skill find hardcoded API keys?

Yes, it specifically searches for high-entropy strings assigned to variables like secrets, tokens, and credentials, as well as checking .env files and configuration fixtures.

What is STRIDE category I?

STRIDE is a threat modeling framework where 'I' stands for Information Disclosure, representing any threat that results in the exposure of data to parties who are not authorized to see it.

AppSec Information Disclosure Auditor

Name: AppSec Information Disclosure Auditor
Author: florianbuetow

byflorianbuetow

•

Security & Testing

Analyzes source code to identify and mitigate sensitive data leakage, verbose error messages, and unauthorized information disclosure risks.

This security-focused skill leverages the STRIDE threat model to scan applications for vulnerabilities that compromise data confidentiality. It systematically evaluates source code for common disclosure patterns, including exposed API fields, hardcoded secrets, verbose production logs, and insecure debug endpoints. By tracing data flows and inspecting configuration files, it helps developers ensure that sensitive information—such as PII, credentials, and internal system architecture details—remains protected from unauthorized access across different trust boundaries.

Key Features

01Analysis of directory traversal risks and insecure logging practices

02Detection of verbose error messages and stack traces in production configurations

036 GitHub stars

04STRIDE-aligned confidentiality threat modeling and analysis

05Scanning for hardcoded secrets, API keys, and unencrypted sensitive data

06Identification of excessive data serialization and internal field leakage in APIs

Use Cases

01Verifying that debug routes and diagnostic headers are suppressed in live environments

02Automating the identification of PII leakage in API response objects

03Performing a pre-production security audit to ensure sensitive data is filtered

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add florianbuetow/claude-code info-disclosure

For use in Claude.ai and ChatGPT

Download Skill