Your coding AI agent keeps a plaintext diary — and your API keys may be in it

like Claude Code, Cursor, and Codex save every conversation to disk as plain text, permanently, often in a folder such as ~/.claude. If you ever pasted an API key into the chat to test something, or the agent printed your while debugging, or a stack trace included your database URL, that content sits there in the clear. These files behave like shell history — mundane housekeeping most people don't realize exists — except they also get swept into s, Dropbox syncs, and even shared during screen shares.

A developer named Ishan, known in the Cardano community, built a tool to address this. It checks the local history of roughly 29 different against a couple hundred secret patterns, runs entirely offline so nothing leaves the machine, and only scans by default — it redacts secrets only when explicitly told to, and creates backups so the action can be undone.

Key points

  • like Claude Code, Cursor, and Codex store full session history permanently as plaintext on disk
  • Pasted API keys, printed , and DB URLs in stack traces can all end up saved
  • These files get included in s, Dropbox syncs, and screen shares
  • A developer built a tool that scans history from about 29 different agents entirely offline
  • It only scans by default; redaction happens only on request, with backups for undoing it
Read original