Stats
Actions
Tags
From Madden Frameworks
HARD STOP. Use this skill the moment any text in the conversation looks like it could be Protected Health Information (PHI) from a healthcare context the operator works in. This is the HIGHEST-PRIORITY skill in the plugin — it fires before everything else, suppresses other skills firing same turn, and has NO override for "trust me it's not PHI" without explicit confirmation. Triggers include: any phone-shaped string `\b\d{3}[-.\s]?\d{3}[-.\s]?\d{4}\b`, SSN-shaped string `\b\d{3}[-]\d{2}[-]\d{4}\b`, DOB-shaped MM/DD/YYYY pattern, Rx number `\bRx\s*#?\s*\d{6,}\b`, MRN `\bMRN\s*#?\s*\d+\b`, any `<title> <first-name> <last-name>` pattern in a healthcare context document (Mrs. Mary Smith, Dr. James Lee, Mr./Ms.), or the word "patient" appearing alongside any number / identifier / clinical detail. Also fires on file paths or pastes containing patient / Rx / script / MRN / EHR / clinical / `<employer>-internal` markers. When fired, REFUSE to write the data, REFUSE to log it anywhere (persistent store, chat output, Bash echo, file content). Halt the work; ask the operator to scrub before continuing. When unsure: FIRE. False positives cost 30 seconds; false negatives are catastrophic. Do NOT use when content is clearly fictional / test data AND the operator has explicitly named it as such ("dummy data", "fake patient", "lorem ipsum patient"), when numbers are clearly NOT PHI (port numbers, version numbers, hex colors), when discussing the rule itself or PHI as an abstract HIPAA-training concept.
How this skill is triggered — by the user, by Claude, or both
Slash command
/madden-frameworks-skills:accidental-PHIThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
PHI never enters persistent stores. PHI never enters this repo. PHI never enters chat logs. PHI never enters local cache files. PHI never enters Bash command output. If anything that could be PHI surfaces, halt the work, scrub it, then continue.
PHI never enters persistent stores. PHI never enters this repo. PHI never enters chat logs. PHI never enters local cache files. PHI never enters Bash command output. If anything that could be PHI surfaces, halt the work, scrub it, then continue.
The bar is could be, not is. Better to stop on a false positive than miss a real one.
Per HIPAA's 18 identifiers:
| Identifier | Examples |
|---|---|
| Names | First + Last name combinations not obviously fictional |
| Dates of birth | DD/MM/YYYY, MM-DD-YY, "born in 1958", anything with "birthday" + numbers |
| Telephone numbers | (XXX) XXX-XXXX, XXX-XXX-XXXX in a patient context |
| Addresses | Street + city + state combos (especially with name nearby) |
| Email addresses | When tied to a patient |
| SSN, MRN, account numbers | XXX-XX-XXXX, any 8-12 digit string in clinical context |
| Health plan / insurance IDs | "Blue Cross #...", "Medicare ID..." |
| Prescription numbers, NDC codes | Rx #, anything that looks like NDC |
| Specific dosing for a specific person | "John takes 500mg <med> BID" |
| Vehicle / license / device identifiers | when tied to a patient |
| Photos, biometrics | not relevant in text-only chat but flag if mentioned |
| Any geographic subdivision smaller than state | tied to a patient |
Workplace context signals:
patient, Rx, script, MRN, EHR, clinical, <employer>-internalFire on ANY of these matched against current chat content, file content being created, or Bash command output:
\b\d{3}[-.\s]?\d{3}[-.\s]?\d{4}\b (phone-shaped)\b\d{3}[-]\d{2}[-]\d{4}\b (SSN-shaped)\b(0?[1-9]|1[0-2])[\/\-](0?[1-9]|[12]\d|3[01])[\/\-](19|20)\d{2}\b (DOB-shaped MM/DD/YYYY)\bRx\s*#?\s*\d{6,}\b (Rx number)\bMRN\s*#?\s*\d+\b (MRN)<title> <first-name> <last-name> pattern in a healthcare-context document (Mrs. Mary Smith, Dr. James Lee, Mr. / Ms.)Do NOT fire when:
port: 5170, version: 1.2.3, hex colors)When unsure: fire. False positives are cheap; false negatives are catastrophic.
HARD STOP. Do not output the suspect content. Do not log it.
Script:
<generic pattern type — phone-shaped, name+DOB, etc.>)."If real PHI was about to be written somewhere persistent, also say:
"If real PHI was already pasted, the message is in this conversation's log — let's scrub the original message and start fresh. Tell me when you're ready."
There is NO override for "trust me, log it anyway." The skill never accepts that.
The only paths forward:
This skill suppresses other skills firing same turn. Whatever else might have fired, accidental-PHI fires alone and resolves first. Other skills can re-fire after PHI is resolved.
commit-message-honesty — if PHI was about to land in a commit message, both fire; PHI takes precedence.Operators who work in healthcare contexts (clinicians, pharmacists, payer-adjacent roles, healthtech operators) handle PHI as a daily constraint. Data leakage in any form (chat, code, repo, logs, screenshots, anything) is a fireable offense and a HIPAA violation. The cost of a single leak is enormous; the cost of a false positive is 30 seconds of confirmation. The math is overwhelming.
This skill has the highest priority in the system because the failure mode is the most severe. Adjacent sensitive-data skills (financial / PCI, regulated industry data, customer PII) follow the same hard-stop pattern.
npx claudepluginhub kvmadden/madden-frameworks-skills-plugin --plugin madden-frameworks-skillsProvides UI/UX resources: 50+ styles, color palettes, font pairings, guidelines, charts for web/mobile across React, Next.js, Vue, Svelte, Tailwind, React Native, Flutter. Aids planning, building, reviewing interfaces.
Fetches up-to-date documentation from Context7 for libraries and frameworks like React, Next.js, Prisma. Use for setup questions, API references, and code examples.