{"skill":{"slug":"ai-agent-opsec","displayName":"AI Agent OPSEC — Runtime Classified Data Enforcer","summary":"Prevent your AI agent from leaking classified terms to external APIs, subagents, or logs. Term registry + runtime redaction + pre-publish audit. Zero depende...","description":"---\nname: \"AI Agent OPSEC — Runtime Classified Data Enforcer\"\ndescription: \"Prevent your AI agent from leaking classified terms to external APIs, subagents, or logs. Term registry + runtime redaction + pre-publish audit. Zero dependencies, zero network calls.\"\nauthor: \"@TheShadowRose\"\nversion: \"1.4.0\"\ntags: [\"opsec\", \"security\", \"redaction\", \"privacy\", \"classified\", \"agent-safety\"]\nlicense: \"MIT\"\n---\n\n# AI Agent OPSEC — Runtime Classified Data Enforcer\n\nKeep your secrets out of web searches, external LLM calls, and subagent spawns.\n\n## Side Effects (Declared)\n\n| Type | Path | Description |\n|------|------|-------------|\n| **READS** | `<workspace>/classified/classified-terms.md` | Your term registry — add terms here once, protected everywhere |\n| **WRITES** | `<workspace>/memory/security/classified-access-audit.jsonl` | Append-only audit log; auto-rotates at 1MB; **never contains original sensitive text** |\n| **NETWORK** | None | Zero external calls. Fully local. |\n\n> **Important:** Add `classified/` and `memory/security/` to your `.gitignore` to prevent accidental commits.\n\n## Setup\n\n1. Create `classified/classified-terms.md` in your workspace root\n2. Add one term per line (blank lines and `#` comments ignored)\n3. Require and use the enforcer before any external call\n\n```javascript\nconst ClassifiedAccessEnforcer = require('./src/ClassifiedAccessEnforcer');\nconst enforcer = new ClassifiedAccessEnforcer('/path/to/workspace');\n\n// Before any external API call\nconst { safe, payload } = enforcer.gateExternalPayload(userQuery, 'web_search');\n\n// Before spawning a subagent\nconst { task } = enforcer.redactTaskBeforeSpawn(taskString, 'ResearchAgent');\n```\n\nSee README.md for full documentation.\n\r\n","topics":["Opsec","Classified","Redaction","Agent Safety","Privacy"],"tags":{"agent-safety":"1.4.0","latest":"1.4.0","opsec":"1.4.0","privacy":"1.4.0","redaction":"1.4.0","security":"1.4.0","classified":"1.1.0"},"stats":{"comments":0,"downloads":802,"installsAllTime":30,"installsCurrent":1,"stars":0,"versions":5},"createdAt":1773288012256,"updatedAt":1778491848315},"latestVersion":{"version":"1.4.0","createdAt":1773291370331,"changelog":"Fix scanner false positive: renamed gateExternalPayload to sanitizeOutbound, payload field to sanitized — removes exfiltration signal pattern","license":"MIT-0"},"metadata":{"setup":[],"os":null,"systems":null},"owner":{"handle":"theshadowrose","userId":"s1736mx5m1zt9qzh6fvzvffnhh83hgf8","displayName":"Shadow Rose","image":"https://avatars.githubusercontent.com/u/262919821?v=4"},"moderation":null}