mdpact

compliance/pii-in-spec

severity: warningcategory: compliancefixable: no

Likely PII (email, SSN, phone, card) appears in spec text.

compliance/pii-in-spec

Severity: warning Category: compliance Fixable: no

What it catches

Likely personally identifiable information in the spec itself — email addresses (except reserved example.com style domains), US SSNs, phone numbers, credit card shapes.

Why it matters

Agent specs get copy-pasted, committed, and read by tools outside your control. PII that lives in a spec leaks by default. Use placeholders (alice@example.com, +1-555-0100) in examples, and keep real PII in a secrets vault if it's ever needed at runtime.

Limitations

good.md
---
version: 1
owner: team
---

# Spec

Escalate to the oncall engineer at `oncall@example.com` in an incident.
bad.md
---
version: 1
owner: team
---

# Spec

Escalate to the oncall engineer at real.person@acmecorp.com in an incident.