Brikko PII Mask
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it claims, but it sends sensitive text to Brikko’s API and uses a Brikko API key, so users should be comfortable with that third-party data flow.
Before installing, make sure your organization is comfortable sending unmasked PII to Brikko's API and relying on Brikko's one-hour mapping retention. Keep BRIKKO_API_KEY secret, verify BRIKKO_API_URL if you override it, and consider the self-hosted option for stricter privacy requirements.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Brikko receives the original text before it is masked for the downstream LLM.
The script sends the stdin text, which may contain personal data, to Brikko's anonymization endpoint. This matches the stated purpose and is disclosed, but it is still a sensitive third-party data flow.
payload = json.dumps({"text": text}).encode("utf-8") ... f"{api_url}/v1/anonymize"Install only if sending this PII to Brikko is acceptable for your privacy, compliance, and vendor-risk requirements; consider the documented self-hosted option for stricter data residency.
Anyone with access to the environment variable could use the Brikko API key.
The skill requires a Brikko API key and uses it as a bearer token for API calls. This is expected for the service integration, but it gives the scripts access to the user's Brikko account/API quota.
api_key = os.environ.get("BRIKKO_API_KEY", "").strip() ... "Authorization": f"Bearer {api_key}"Store the API key securely, avoid committing it to files, rotate it if exposed, and use a limited-purpose key if Brikko supports that.
Original personal data may remain recoverable on Brikko's service during the one-hour mapping window.
The skill discloses that the placeholder-to-original-PII mapping is stored by Brikko for one hour so restoration can work. This is bounded and purpose-aligned, but it is temporary remote retention of sensitive data.
Mapping (плейсхолдер → оригинал) хранится в Redis на api.brikko.ru с TTL 1 час
Confirm that the one-hour retention and Brikko's handling of mappings meet your requirements; use self-hosting or avoid the skill for data that cannot be sent to a third party.