Install
openclaw skills install privacy-maskPrivacy Mask
Mask, redact, anonymize and censor sensitive information (PII) in screenshots and images — phone numbers, emails, IDs, API keys, crypto wallets, credit cards, passwords, and more. Uses OCR (Tesseract + RapidOCR) with 47 regex rules and optional NER (GLiNER) to detect private data and applies blur/fill redaction overlays. Supports GDPR and compliance workflows, secret detection, and data loss prevention (DLP). All processing runs 100% locally and offline — no data leaves your machine.
Audits
PassPrivacy Mask
Detect and mask sensitive information in images locally before they leave your machine.
Prerequisites
This skill requires the privacy-mask CLI to be pre-installed on the system.
If it is not available, inform the user that they need to install it first:
- Install via pip:
pip install privacy-mask - Ensure Tesseract OCR is installed:
brew install tesseract(macOS) orapt install tesseract-ocr(Linux) - Verify installation:
privacy-mask --version - (Optional) Install NER support:
pip install privacy-mask[ner]
When to use
- User sends a screenshot or image file (
.png,.jpg,.jpeg,.bmp,.tiff) that may contain private data - User mentions privacy, masking, redacting, or anonymizing
- You need to analyze an image but want to redact sensitive info first
- IF the user shares a screenshot for debugging, THEN run
privacy-mask mask <path> --dry-runfirst to check for PII - IF detections are found, THEN mask the image before proceeding with analysis
Usage
Mask an image:
privacy-mask mask /path/to/screenshot.png
privacy-mask mask /path/to/screenshot.png --in-place
privacy-mask mask /path/to/screenshot.png --dry-run # detect only, no masking
privacy-mask mask /path/to/screenshot.png --detection-engine regex # regex only, skip NER
privacy-mask mask /path/to/screenshot.png --config /path/to/custom-config.json
Output is JSON:
{
"status": "success",
"detections": [{"label": "PHONE_CN", "text": "***", "bbox": [10, 20, 100, 30]}],
"summary": "Masked 1 regions: 1 PHONE_CN"
}
Example workflow
- User provides a screenshot:
~/Desktop/error-screenshot.png - Run detection:
privacy-mask mask ~/Desktop/error-screenshot.png --dry-run - IF detections found, mask the image:
privacy-mask mask ~/Desktop/error-screenshot.png - The masked output is saved as
~/Desktop/error-screenshot_masked.png - Use the masked image for further analysis
What it detects
- IDs: Chinese ID card, passport, HK/TW ID, US SSN, UK NINO, Canadian SIN, Indian Aadhaar/PAN, Korean RRN, Singapore NRIC, Malaysian IC
- Phone: Chinese mobile/landline, US phone, international (+prefix)
- Financial: Bank card, Amex, IBAN, SWIFT/BIC
- Developer keys: AWS, GitHub, Slack, Google, Stripe tokens, JWT, connection strings, API keys, SSH/PEM keys
- Crypto: Bitcoin, Ethereum wallet addresses
- Other: Email, birthday, IP/IPv6, MAC, UUID, license plate, MRZ, URL auth tokens
- NER (optional): Person names, street addresses, organizations, dates of birth, medical conditions
Constraints
- Do NOT send unmasked images to any external API or cloud service
- Do NOT skip masking when detections are found — always mask before sharing
- Do NOT modify the original image unless
--in-placeis explicitly requested - Avoid running on very large images (>10MB) without warning the user about processing time
Anti-patterns
- Don't assume images are safe — always run detection even if the image "looks clean"
- Don't use
--in-placeby default — preserve the original unless the user asks otherwise - Don't ignore dry-run results — if
--dry-runfinds PII, the image must be masked before use - Don't hardcode config paths — use the bundled default or let the user specify
--config
Important
- All processing is local and offline — no data leaves the machine
- Configure rules in the bundled
config.jsonor pass--configfor custom rules