API keys in your shell history. Tokens buried in .env files. GhostHunt scans your local environment, auto-cleans what it can, and gives you rotation links for the rest.
Install in Claude DesktopDownload the extension, then double-click to install. That's it.
You'll see a security prompt during setup. That's standard for all community extensions.
MIT licensed. Open source. View source on GitHub.
Ask Claude to scan. It finds the problems, fixes what it can, and proves the cleanup worked.
GhostHunt sweeps your shell history, .env files, config directories, and SSH keys. It matches 20+ secret patterns (AWS, Stripe, OpenAI, GitHub, and more) and scores your machine from 0 to 100.
Shell history secrets get scrubbed automatically (with a timestamped backup). Exposed .env files get .gitignore protection. For tokens that need rotation, you get the exact URL and step-by-step instructions for each provider.
Re-scan after fixing and watch your score climb. GhostHunt confirms the cleanup worked so you know you're clean, not just hoping you are.
Found 5 leaked secrets across 4 locations. 4 can be auto-fixed by cleaning your shell history. The .env secrets need manual key rotation. Want me to fix everything I can?
Backups created before every change. Rotate those two keys manually and re-scan to hit 100.
GhostHunt knows what to look for and where to look. No setup, no rules files, no YAML.
AWS access keys, GCP service accounts, Azure client secrets, DigitalOcean tokens.
Stripe secret keys (live and test), PayPal credentials, payment processor tokens.
OpenAI, Anthropic, and other AI service API keys sitting in your command history.
GitHub PATs, GitLab tokens, npm publish tokens, Docker Hub credentials, JWTs.
Connection strings with embedded passwords. PostgreSQL, MySQL, MongoDB, Redis URIs.
Exposed private keys, overly permissive file permissions, known_hosts anomalies.
Twilio auth tokens, SendGrid keys, Slack webhooks, Mailgun credentials.
Shopify admin tokens, Heroku API keys, Vercel tokens, Firebase credentials.
Catches secrets that don't match known patterns but look like tokens based on entropy analysis.
Security tools earn trust through transparency. GhostHunt is open source, runs locally, and never phones home.
Every scan runs on your machine. Your secrets never leave your computer. No cloud, no telemetry, no analytics.
MIT licensed. Read every line. The entire scanning engine, pattern library, and remediation logic are on GitHub.
Before modifying any file, GhostHunt creates a timestamped backup. Every change is reversible.
For Cursor, Windsurf, or any MCP-compatible client, add this to your config:
Paste into your MCP client's config file, restart, and ask it to scan.
Download, double-click, restart Claude, and ask it to scan. That's it.
Install in Claude DesktopQuestions? [email protected]