Item logo image for SecretScout — API Key & Secret Detector

SecretScout — API Key & Secret Detector

ExtensionTools
Item media 2 (screenshot) for SecretScout — API Key & Secret Detector
Item media 1 (screenshot) for SecretScout — API Key & Secret Detector
Item media 2 (screenshot) for SecretScout — API Key & Secret Detector
Item media 1 (screenshot) for SecretScout — API Key & Secret Detector
Item media 1 (screenshot) for SecretScout — API Key & Secret Detector
Item media 2 (screenshot) for SecretScout — API Key & Secret Detector

Overview

Detects exposed API keys (OpenAI, AWS, Stripe, GitHub, Google) in a page's DOM, scripts and network. 100% local, no uploads.

Catch leaked API keys before they cost you. SecretScout is a lightweight security tool that watches the pages you open and warns you the moment one exposes something that looks like a real API key or secret — whether it's hardcoded in the page's source or flying past in a network response. It's the passive safety check that runs while you browse, so a forgotten key on a staging site, an internal dashboard, or a client's web app never slips by unnoticed. Built for developers, security engineers, and anyone who takes credential hygiene seriously. WHAT IT DETECTS SecretScout ships with detection rules for the most commonly leaked secret formats: - OpenAI API keys (sk-…) - AWS access key IDs (AKIA…) - Stripe secret keys (sk_live_…) - GitHub tokens (ghp_…) - Google API keys (AIza…) …and more patterns are added over time. WHERE IT LOOKS Most scanners only read the visible page. SecretScout inspects three surfaces where secrets actually leak: - The DOM — the rendered HTML of the page. - Inline scripts — configuration and bootstrap code embedded directly in the page. - Network responses — the bodies of fetch() and XMLHttpRequest calls the page makes, where keys are frequently exposed in JSON payloads. HOW IT WORKS - A badge on the toolbar icon shows how many potential secrets were found on the current page. - Click the icon to see each finding listed by service, with the key partially masked — first 6 and last 4 characters, e.g. sk-pro…7dc — so you can recognize it without re-exposing it. - Detection runs automatically as you browse and re-checks dynamic pages as they change. PRIVATE BY DESIGN This is what matters most for a tool that reads page content: - Everything runs 100% locally in your browser. There is no server, no account, and no sign-in. - Nothing is ever uploaded — not the page, not its URLs, not the detected keys. - Only a masked summary is kept, only for the current page, and it is cleared automatically when you navigate away or close the browser. The full key is never stored. - No tracking, no analytics, no advertising. WHY IT'S USEFUL - Audit your own apps before you ship — catch a hardcoded key in a bundle or an API response during development. - Review client or vendor sites during a security assessment with zero setup. - Get a quiet early warning whenever a site you visit leaks credentials in the open. PRO (COMING SOON) A future upgrade will add: - An expanded ruleset covering 50+ services and token formats. - Per-domain leak history, so you can track what a site exposed over time. - Export to CSV and JSON for reporting and record-keeping. The free version stays free and fully local. PERMISSIONS, EXPLAINED SecretScout asks only for what it needs to do its single job: - Host access lets its content scripts read the pages you visit and scan them for exposed secrets — scanning cannot happen without it. - Storage is used only to hold the current page's masked findings so the badge and popup can display them. It does not request access to your tabs, history, or bookmarks, and it makes no external network requests with your data. A NOTE ON FALSE POSITIVES SecretScout flags strings that match known key formats. A match means "this looks like a secret and is visible on this page" — always verify before acting. Finding a key here usually means it is exposed to anyone who views the page, which is exactly what you want to know. Install SecretScout and get a private, always-on guard against one of the most common — and most expensive — mistakes on the web: a secret left out in the open.

Details

  • Version
    0.1.0
  • Updated
    July 5, 2026
  • Offered by
    fullkycchecks
  • Size
    14.05KiB
  • Languages
    English (United States)
  • Developer
    RVDH Interim Management B.V.
    Linnaeuslaan 26 Veenendaal 3903 GS NL
    Email
    info@getcompliant.online
  • Non-trader
    This developer has not identified itself as a trader. For consumers in the European Union, please note that consumer rights do not apply to contracts between you and this developer.

Privacy

Manage extensions and learn how they're being used in your organization
The developer has disclosed that it will not collect or use your data. To learn more, see the developer’s privacy policy.

This developer declares that your data is

  • Not being sold to third parties, outside of the approved use cases
  • Not being used or transferred for purposes that are unrelated to the item's core functionality
  • Not being used or transferred to determine creditworthiness or for lending purposes

Support

For help with questions, suggestions, or problems, visit the developer's support site

Google apps