Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
How this skill is triggered — by the user, by Claude, or both
Slash command
/forge-tlp:SafeReadThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Runtime redaction tools for reading protected files and managing their metadata.
Runtime redaction tools for reading protected files and managing their metadata.
Read a file with inline #tlp/red sections stripped and secrets redacted:
Modules/forge-tlp/bin/safe-read "/path/to/file.md"
RED files are refused entirely — safe-read only handles AMBER and below.
safe-read automatically scans for known API key and credential patterns (sourced from gitleaks) and replaces them with [SECRET REDACTED]. A warning is emitted to stderr when secrets are found.
Coverage includes 45+ services:
| Category | Services |
|---|---|
| AI/ML | Anthropic, OpenAI, OpenRouter |
| Cloud | AWS, GCP, Azure |
| Code hosting | GitHub, GitLab |
| Communication | Slack, Twilio, SendGrid, Mailchimp |
| Payments | Stripe |
| Package registries | npm |
| Databases | MongoDB connection strings |
| Crypto | PEM private keys, JWTs |
Patterns are compiled into a single regex from src/redact/mod.rs. They match token formats (prefix + length + character set), not secret values — so they work without a secrets database.
safe-read processes two kinds of redaction:
#tlp/red block and inline sections (see /TLP skill for marker syntax)[SECRET REDACTED]Both run in a single pass. TLP redaction runs first, then secret scanning on the remaining content.
Bulk YAML frontmatter operations without reading file content. Useful for managing tlp: fields across files:
# Set a key on all .md files in a directory
Modules/forge-tlp/bin/blind-metadata set <directory> <key> <value>
# Get a key from all .md files
Modules/forge-tlp/bin/blind-metadata get <directory> <key>
# List files missing a key
Modules/forge-tlp/bin/blind-metadata has <directory> <key>
Supports absolute paths and vault-relative paths (walks up to find .tlp root).
# Classify a directory as RED
blind-metadata set Resources/Contacts tlp RED
# Audit which files have TLP frontmatter
blind-metadata has Resources/Journals tlp
# Read TLP values without opening the files
blind-metadata get Resources/Journals tlp
/TLP — classification rules, .tlp config, frontmatter overrides/SecretScan — commit-time secret scanning with gitleaks!dispatch skill-load forge-tlp
npx claudepluginhub n4m3z/forge-tlpRedacts network/MITM capture directories (JSONL, JSON, logs, HAR) in place with class-preserving substitution that keeps token prefixes for analysis. For use when a wire capture must enter public notes or repos without leaking session secrets.
Scans files and directories for sensitive content including credentials, API keys, personal identifiers, private URLs, local paths, and security risks before publishing repos, sharing code, or exporting configs.
Scans code, git history, and configs for secrets like API keys, cloud credentials, private keys, and DB strings using regex, entropy, and context. Assesses severity and generates remediation reports.