Your coding AI agent keeps a plaintext diary — and your API keys may be in it
like Claude Code, Cursor, and Codex save every conversation to disk as plain text, permanently, often in a folder such as ~/.claude. If you ever pasted an API key into the chat to test something, or the agent printed your while debugging, or a stack trace included your database URL, that content sits there in the clear. These files behave like shell history — mundane housekeeping most people don't realize exists — except they also get swept into s, Dropbox syncs, and even shared during screen shares.
A developer named Ishan, known in the Cardano community, built a tool to address this. It checks the local history of roughly 29 different against a couple hundred secret patterns, runs entirely offline so nothing leaves the machine, and only scans by default — it redacts secrets only when explicitly told to, and creates backups so the action can be undone.
Key points
- like Claude Code, Cursor, and Codex store full session history permanently as plaintext on disk
- Pasted API keys, printed , and DB URLs in stack traces can all end up saved
- These files get included in s, Dropbox syncs, and screen shares
- A developer built a tool that scans history from about 29 different agents entirely offline
- It only scans by default; redaction happens only on request, with backups for undoing it