Your machine is leaking secrets.
Find them. Fix them. Prove it.

API keys in your shell history. Tokens buried in .env files. GhostHunt scans your local environment, auto-cleans what it can, and gives you rotation links for the rest.

$ npx ghosthunt Click to copy

Works with Claude Desktop, Cursor, and any MCP client. MIT licensed. View source.

Security Health Score
37
out of 100
After GhostHunt
97
out of 100

Three steps. One conversation.

Ask Claude to scan. It finds the problems, fixes what it can, and proves the cleanup worked.

1

Scan

GhostHunt sweeps your shell history, .env files, config directories, and SSH keys. It matches 20+ secret patterns (AWS, Stripe, OpenAI, GitHub, and more) and scores your machine from 0 to 100.

2

Fix

Shell history secrets get scrubbed automatically (with a timestamped backup). Exposed .env files get .gitignore protection. For tokens that need rotation, you get the exact URL and step-by-step instructions for each provider.

3

Verify

Re-scan after fixing and watch your score climb. GhostHunt confirms the cleanup worked so you know you're clean, not just hoping you are.

Claude Desktop
Scan my machine for leaked secrets.
Health Score
37
Critical
3
Medium
2
Auto-fixable
4
Critical Stripe Secret Key .zsh_history auto-fix
Critical AWS Secret Access Key .zsh_history auto-fix
Critical OpenAI API Key .bash_history auto-fix
Medium Stripe Secret Key project/.env manual
Medium Database URL with Password app/.env manual

Found 5 leaked secrets across 4 locations. 4 can be auto-fixed by cleaning your shell history. The .env secrets need manual key rotation. Want me to fix everything I can?

Claude Desktop
Yes, fix everything you can and show me where to rotate the rest.
Before
37
After
72
Improvement
+35
Removed Stripe Secret Key from .zsh_history
Removed AWS Secret Access Key from .zsh_history
Removed OpenAI API Key from .bash_history
Added .env to .gitignore in 2 projects
Manual rotation needed:
Stripe Secret Key Open Stripe Dashboard ↗
Database URL Update connection string

Backups created before every change. Rotate those two keys manually and re-scan to hit 100.

20+ secret types. Zero config.

GhostHunt knows what to look for and where to look. No setup, no rules files, no YAML.

Cloud Provider Keys

AWS access keys, GCP service accounts, Azure client secrets, DigitalOcean tokens.

💳

Payment Tokens

Stripe secret keys (live and test), PayPal credentials, payment processor tokens.

🕵

AI Provider Keys

OpenAI, Anthropic, and other AI service API keys sitting in your command history.

🔒

Auth Tokens

GitHub PATs, GitLab tokens, npm publish tokens, Docker Hub credentials, JWTs.

🗂

Database Credentials

Connection strings with embedded passwords. PostgreSQL, MySQL, MongoDB, Redis URIs.

🔐

SSH & Private Keys

Exposed private keys, overly permissive file permissions, known_hosts anomalies.

📩

Communication APIs

Twilio auth tokens, SendGrid keys, Slack webhooks, Mailgun credentials.

📑

Platform Secrets

Shopify admin tokens, Heroku API keys, Vercel tokens, Firebase credentials.

🛠

Generic High-Entropy

Catches secrets that don't match known patterns but look like tokens based on entropy analysis.

Built for trust.

Security tools earn trust through transparency. GhostHunt is open source, runs locally, and never phones home.

🔓 100% Local

Every scan runs on your machine. Your secrets never leave your computer. No cloud, no telemetry, no analytics.

📄 Open Source

MIT licensed. Read every line. The entire scanning engine, pattern library, and remediation logic are on GitHub.

💾 Backups First

Before modifying any file, GhostHunt creates a timestamped backup. Every change is reversible.

Run your first scan in 30 seconds.

One command. No signup. No API key. Just answers.

$ npx ghosthunt Click to copy

Questions? Reach out at [email protected]