API & MCP

SecretScout — API Key & Secret Detector

Detects exposed API keys (OpenAI, AWS, Stripe, GitHub, Google) in a page's DOM, scripts and network. 100% local, no uploads.

As of July 2026, SecretScout — API Key & Secret Detector has users in the Productivity category.

Usersno change0%
Ratingno change0%
— reviews
Reviewsno change0%
Version
0.1.0
Manifest V3

History

1 snapshots

Tracking since Jul 6, 2026.

Not enough history yet for this metric — the chart fills in as we collect more snapshots.
View as table
DateUsersRatingReviewsVersion
Jul 6, 20260.1.0
Now0.1.0

Permissions & access

Permissions
storage
Host access
None declared

Screenshots

SecretScout — API Key & Secret Detector screenshot 1SecretScout — API Key & Secret Detector screenshot 2

About

Catch leaked API keys before they cost you.

SecretScout is a lightweight security tool that watches the pages you open and warns you the moment one exposes something that looks like a real API key or secret — whether it's hardcoded in the page's source or flying past in a network response. It's the passive safety check that runs while you browse, so a forgotten key on a staging site, an internal dashboard, or a client's web app never slips by unnoticed.

Built for developers, security engineers, and anyone who takes credential hygiene seriously.

WHAT IT DETECTS
SecretScout ships with detection rules for the most commonly leaked secret formats:
- OpenAI API keys (sk-…)
- AWS access key IDs (AKIA…)
- Stripe secret keys (sk_live_…)
- GitHub tokens (ghp_…)
- Google API keys (AIza…)
…and more patterns are added over time.

WHERE IT LOOKS
Most scanners only read the visible page. SecretScout inspects three surfaces where secrets actually leak:
- The DOM — the rendered HTML of the page.
- Inline scripts — configuration and bootstrap code embedded directly in the page.
- Network responses — the bodies of fetch() and XMLHttpRequest calls the page makes, where keys are frequently exposed in JSON payloads.

HOW IT WORKS
- A badge on the toolbar icon shows how many potential secrets were found on the current page.
- Click the icon to see each finding listed by service, with the key partially masked — first 6 and last 4 characters, e.g. sk-pro…7dc — so you can recognize it without re-exposing it.
- Detection runs automatically as you browse and re-checks dynamic pages as they change.

PRIVATE BY DESIGN
This is what matters most for a tool that reads page content:
- Everything runs 100% locally in your browser. There is no server, no account, and no sign-in.
- Nothing is ever uploaded — not the page, not its URLs, not the detected keys.
- Only a masked summary is kept, only for the current page, and it is cleared automatically when you navigate away or close the browser. The full key is never stored.
- No tracking, no analytics, no advertising.

WHY IT'S USEFUL
- Audit your own apps before you ship — catch a hardcoded key in a bundle or an API response during development.
- Review client or vendor sites during a security assessment with zero setup.
- Get a quiet early warning whenever a site you visit leaks credentials in the open.

PRO (COMING SOON)
A future upgrade will add:
- An expanded ruleset covering 50+ services and token formats.
- Per-domain leak history, so you can track what a site exposed over time.
- Export to CSV and JSON for reporting and record-keeping.
The free version stays free and fully local.

PERMISSIONS, EXPLAINED
SecretScout asks only for what it needs to do its single job:
- Host access lets its content scripts read the pages you visit and scan them for exposed secrets — scanning cannot happen without it.
- Storage is used only to hold the current page's masked findings so the badge and popup can display them.
It does not request access to your tabs, history, or bookmarks, and it makes no external network requests with your data.

A NOTE ON FALSE POSITIVES
SecretScout flags strings that match known key formats. A match means "this looks like a secret and is visible on this page" — always verify before acting. Finding a key here usually means it is exposed to anyone who views the page, which is exactly what you want to know.

Install SecretScout and get a private, always-on guard against one of the most common — and most expensive — mistakes on the web: a secret left out in the open.

Technical

Version
0.1.0
Manifest
V3
Size
14.05KiB
Min Chrome
88
Languages
1
Featured
No

Metadata

ID
lgoccdnjloaddpljhiekgaboalmdahim
Developer ID
ub99ebe2a3c6a5582ca970592f0961630
Developer Email
[email protected]
Created
Jul 5, 2026
Last Updated (Store)
Jul 5, 2026
Last Scraped
Jul 6, 2026
Website

Data sourced from the Chrome Web Store · last verified Jul 6, 2026.