Stats
Actions
Tags
From acc
Analyzes PHP code for sensitive data exposures including hardcoded credentials, PII in logs, insecure storage, debug leaks, and backup files. Useful for security reviews.
How this skill is triggered — by the user, by Claude, or both
Slash command
/acc:check-sensitive-dataThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Analyze PHP code for sensitive data exposure vulnerabilities.
Analyze PHP code for sensitive data exposure vulnerabilities.
// CRITICAL: Hardcoded password
$pdo = new PDO($dsn, 'admin', 'SuperSecret123!');
// CRITICAL: API key in code
$apiKey = 'sk_live_abc123xyz789';
$stripe = new StripeClient($apiKey);
// CRITICAL: Hardcoded secret
define('JWT_SECRET', 'my-secret-key-123');
const ENCRYPTION_KEY = 'aes256-encryption-key';
// CRITICAL: .env file committed
// Check .gitignore for:
// .env
// *.pem
// *.key
// config/secrets.php
// CRITICAL: Config with real credentials
// config/database.php
return [
'password' => 'production_password_here',
];
// CRITICAL: Password in logs
$this->logger->info('Login', ['password' => $password]);
// CRITICAL: Credit card in logs
$this->logger->debug('Payment', ['card' => $cardNumber]);
// VULNERABLE: Full user object logged
$this->logger->info('User created', ['user' => $user]);
// VULNERABLE: Exception with sensitive data
throw new Exception("Login failed for password: $password");
// CRITICAL: Password in URL
$url = "/reset?token=$token&email=$email&password=$password";
// CRITICAL: API key in URL
$url = "https://api.example.com?key=$apiKey";
// VULNERABLE: Session in URL
session_start();
header("Location: /dashboard?" . SID);
// CRITICAL: Plain text password storage
$user->password = $request->get('password');
$em->persist($user);
// CRITICAL: Storing credit card in plain text
$order->setCreditCard($cardNumber);
// CRITICAL: Symmetric encryption with weak key
$encrypted = openssl_encrypt($ssn, 'aes-256-cbc', 'password');
// CRITICAL: Password in API response
return new JsonResponse([
'user' => $user->toArray(), // May include password hash
]);
// CRITICAL: Internal data exposed
return new JsonResponse([
'error' => $exception->getMessage(),
'trace' => $exception->getTraceAsString(),
'query' => $lastQuery,
]);
// CRITICAL: Debug mode in production
ini_set('display_errors', 1);
error_reporting(E_ALL);
// CRITICAL: phpinfo exposed
phpinfo();
// CRITICAL: var_dump in production
var_dump($user);
print_r($config);
// CRITICAL: Credentials in comments
// TODO: Remove before production
// Username: admin
// Password: admin123
// CRITICAL: API keys in comments
// Old API key: sk_test_abc123
// Check for presence of:
// .sql files (database dumps)
// .bak files (backups)
// .old files
// .swp files (vim swap)
// .DS_Store
// Thumbs.db
// CRITICAL: SQL error exposure
try {
$pdo->query($sql);
} catch (PDOException $e) {
echo $e->getMessage(); // Reveals table/column names
}
// CRITICAL: File path exposure
if (!file_exists($path)) {
throw new Exception("File not found: $path");
}
# Hardcoded passwords
Grep: "password\s*[=:]\s*['\"][^'\"]{4,}['\"]" -i --glob "**/*.php"
# API keys
Grep: "(api[_-]?key|apikey|secret[_-]?key)\s*[=:]\s*['\"]" -i --glob "**/*.php"
# AWS credentials
Grep: "AKIA[0-9A-Z]{16}" --glob "**/*.php"
# Private keys
Grep: "-----BEGIN (RSA |PRIVATE |EC )" --glob "**/*"
# Logging sensitive fields
Grep: "->log.*password|->info.*password|->debug.*token" -i --glob "**/*.php"
| Type | Examples | Risk |
|---|---|---|
| Authentication | Passwords, tokens, API keys | Account takeover |
| Financial | Credit cards, bank accounts | Financial fraud |
| PII | SSN, passport, ID numbers | Identity theft |
| Health | Medical records, diagnoses | Privacy violation |
| Location | Home address, GPS coords | Physical safety |
| Pattern | Severity |
|---|---|
| Hardcoded production credentials | 🔴 Critical |
| Password in logs | 🔴 Critical |
| API keys in code | 🔴 Critical |
| PII in error messages | 🟠 Major |
| Debug info in production | 🟠 Major |
| Sensitive comments | 🟡 Minor |
$apiKey = getenv('STRIPE_API_KEY');
$dbPassword = $_ENV['DB_PASSWORD'];
$this->logger->info('Login attempt', [
'user_id' => $user->getId(),
// Never log: password, token, credit card, SSN
]);
function maskEmail(string $email): string
{
$parts = explode('@', $email);
return substr($parts[0], 0, 2) . '***@' . $parts[1];
}
function maskCard(string $card): string
{
return '****-****-****-' . substr($card, -4);
}
try {
$this->process();
} catch (Exception $e) {
$this->logger->error('Processing failed', ['exception' => $e]);
throw new PublicException('An error occurred. Please try again.');
}
### Sensitive Data Exposure: [Description]
**Severity:** 🔴/🟠/🟡
**Location:** `file.php:line`
**CWE:** CWE-200 (Exposure of Sensitive Information)
**Issue:**
[Description of the data exposure]
**Data Type:** [Password|API Key|PII|...]
**Code:**
```php
// Vulnerable code
Fix:
// Secure handling
npx claudepluginhub dykyi-roman/awesome-claude-code --plugin accIdentifies sensitive data exposures including API key leaks, PII in responses, insecure storage, and unprotected transmission during web penetration testing and security audits.
Identifies sensitive data exposure vulnerabilities including API key leakage, PII in responses, insecure storage, and unprotected data transmission during security assessments.
Detects API keys, passwords, tokens, and credentials embedded in source code, config files, and test fixtures. Flags hardcoded secrets that could be exposed via version control.