← Back to blog

How to Scan Your AI Chat History for Leaked Secrets

· Pierre
AI secret scanning AI prompt security ChatGPT data leakage Claude Code secrets AI DLP shadow AI security developer AI security

How to Scan Your AI Chat History for Leaked Secrets

Every developer has done it. You're debugging a failing deployment, so you paste the error log into ChatGPT — along with the connection string that has your production database password embedded in it.

Or you ask Claude Code to fix an API integration, and the context window scoops up the .env file with your AWS access key.

Or you upload a config file to Cursor so it can help refactor your infrastructure code, and that config contains your Stripe live key.

Nobody does this on purpose. It happens because AI tools are fast, context windows are greedy, and developers are focused on the problem, not the prompt.

The numbers back this up. According to Lasso Security's analysis of enterprise AI traffic, 13% of all AI prompts contain sensitive data (Lasso Security, 2025). Nightfall AI's research found that 96.4% of the secrets detected in AI traffic are API keys and passwords — not vague "sensitive data," but actual credentials that enable lateral movement (Nightfall AI, 2025).

And it's getting worse. Netskope's 2025 Cloud and Threat Report found that the average enterprise sees 223 policy violations per month involving sensitive data sent to AI apps — a number that doubled year-over-year (Netskope, 2025).

The Problem: You Can't Audit What You Can't See

Here's the uncomfortable truth: most teams have no idea what their AI tools are sending.

When you use ChatGPT in a browser, your prompts go to OpenAI's API over HTTPS. Your network monitoring sees a connection to api.openai.com and a payload size. That's it. Not the prompt content. Not the secrets embedded in it.

When a developer runs Claude Code from the terminal, it sends requests to api.anthropic.com. Your browser extensions don't see it — it's not a browser. Your DLP endpoint agent might not see it — it's an HTTPS API call that looks like any other.

When a CI/CD pipeline uses an AI SDK to generate test data or review pull requests, there's no human in the loop at all. Our telemetry shows 51.4% of AI requests come from programmatic sources — Node.js scripts, HTTP client libraries, and automated agents (CitrusGlaze Telemetry).

That means more than half of AI traffic is invisible to browser-based monitoring tools. Harmonic Security's browser extension? It sees browser-based AI tools. LayerX's browser agent? Same. They both miss the terminal, the CLI, the SDK, the agent.

What Actually Leaks (and How)

From analyzing 26,000+ intercepted AI requests with CitrusGlaze's MITM proxy, here's what we see:

1. API Keys Pasted Directly in Prompts

The most common leak. A developer asks an AI tool to help debug an API integration and pastes the full error output, which includes the API key in the request URL or headers.

"Help me fix this error:
curl -H 'Authorization: Bearer sk-ant-api03-REDACTED...'
  https://api.anthropic.com/v1/messages
  -d '{"model": "claude-opus-4-20250514"...}'
Error: 429 Too Many Requests"

The AI tool doesn't need your API key to help debug a rate limit error. But it gets it anyway because you pasted the full curl command.

2. Connection Strings in Code Context

AI coding assistants pull surrounding code into their context windows automatically. If your database connection string is defined three files up from where you're editing, it might still end up in the prompt.

DATABASE_URL=postgresql://admin:[email protected]:5432/production

You didn't paste this. Your AI tool's context engine did.

3. Environment Variables in Error Logs

Stack traces and error logs frequently contain environment variable values, especially in frameworks that dump the full environment on crash.

4. Private Keys in Configuration Files

Developers asking AI tools to help with SSH, TLS, or signing configuration sometimes include the actual private key material.

5. Credentials in Infrastructure-as-Code

Terraform files, Kubernetes secrets (base64-encoded, not encrypted), and cloud formation templates frequently contain credentials that end up in AI prompts during refactoring or troubleshooting sessions.

How to Actually Scan for This

There are three approaches, ranked by completeness.

Approach 1: Export and Grep (Manual, Limited)

Some AI tools let you export your chat history. ChatGPT has a "Download my data" feature. You can then run pattern matching against the exports.

# Look for AWS access keys
grep -r "AKIA[0-9A-Z]{16}" ./chatgpt-export/

# Look for private keys
grep -r "BEGIN.*PRIVATE KEY" ./chatgpt-export/

# Look for common secret patterns
grep -rE "(sk-[a-zA-Z0-9]{20,}|ghp_[a-zA-Z0-9]{36}|glpat-[a-zA-Z0-9-]{20})" ./chatgpt-export/

Problems: This only catches what you can export. CLI tools like Claude Code don't have chat export. Automated API calls leave no downloadable history. You're pattern-matching after the fact — the secret already reached the AI provider.

Approach 2: Browser Extension DLP (Partial)

Tools like Harmonic Security, Nightfall AI, and Strac provide browser extensions that monitor what you type or paste into AI web interfaces.

Harmonic's research shows 26% of file uploads to AI chatbots contain sensitive information (Harmonic Security, 2025). Their extension catches these before they're sent.

Problems: Browser-only. Misses CLI tools (Claude Code, GitHub Copilot CLI), SDK calls (LangChain, OpenAI SDK), agent frameworks, and CI/CD pipelines. In our telemetry, browser-based AI tools account for a minority of total requests. Over 51% of AI traffic comes from non-browser sources (CitrusGlaze Telemetry).

Approach 3: Network-Layer MITM Proxy (Complete)

A MITM (man-in-the-middle) proxy sits between all applications on your machine and the internet. Every HTTPS request gets decrypted, inspected, and re-encrypted before forwarding. This catches everything: browsers, CLIs, SDKs, agents, scripts, CI pipelines.

This is what CitrusGlaze does. Here's how to set it up:

# Install CitrusGlaze (macOS)
bash install.sh

# Start the proxy
citrusglaze start

# That's it. Every AI request from every application on your machine
# now gets scanned for 210+ secret patterns in real-time.

What happens under the hood:

  1. CitrusGlaze starts a local proxy on port 8888
  2. It generates a local root CA certificate and adds it to your system trust store
  3. All HTTPS traffic to AI provider domains gets intercepted
  4. The Rust-based secret detection engine scans every request body for 210+ patterns
  5. Matches are logged with severity (Critical/High/Medium/Low) and confidence scores
  6. The macOS menu bar app shows a real-time dashboard of all AI traffic

The scan covers:

Category Patterns Examples
Cloud credentials 25+ AWS keys (AKIA*), GCP service accounts, Azure secrets
AI service keys 15+ OpenAI (sk-*), Anthropic, Cohere, Mistral keys
Version control tokens 10+ GitHub PAT (ghp_*), GitLab, Bitbucket tokens
Private keys 5+ RSA, EC, PGP private keys
Database connection strings 8+ PostgreSQL, MySQL, MongoDB, Redis URIs
Payment credentials 8+ Stripe (sk_live_*), PayPal, Square tokens
Generic high-entropy secrets 5+ Shannon entropy detection for unknown formats

Detection runs in Rust — pattern matching at wire speed with zero copy overhead.

What to Do When You Find Leaked Secrets

If you scan and find secrets that were sent to AI providers, here's the remediation playbook:

1. Rotate immediately. Every credential that appeared in an AI prompt should be treated as compromised. Rotate the key, token, or password. This is not paranoia — AI providers store prompt data for model training, debugging, and abuse monitoring. Your secret is now in someone else's system.

2. Check access logs. For each leaked credential, review the access logs of the associated service. Was the credential used from an unexpected IP or location after the leak? AWS CloudTrail, GitHub audit logs, and Stripe dashboard all provide this.

3. Scope the blast radius. An AWS access key might have AdministratorAccess. A database connection string might point to production. Understand what each leaked credential could do in the wrong hands.

4. Prevent recurrence. This is where real-time scanning matters. After-the-fact discovery means the secret already left your network. A MITM proxy can catch it before it reaches the AI provider and either block the request or redact the secret.

The Cost of Not Scanning

IBM's 2025 Cost of Data Breach Report puts the average data breach cost at $4.44 million. When shadow AI is involved, that figure increases by $670,000 (IBM, 2025).

And 97% of organizations using AI lack access controls to prevent AI-related data breaches (IBM, 2025).

The math is simple. The average enterprise sees 223 sensitive data violations per month through AI tools. At some point, one of those violations involves a production credential. At some point, that credential gets used. The median time to detect a credential-based breach is 292 days.

Scanning your AI traffic takes 5 minutes to set up. Not scanning it is a bet that none of your developers will ever paste a production secret into an AI tool. That's not a bet I'd take.

Why Most "AI Security" Tools Don't Solve This

The enterprise AI security market is booming — Netskope, Zscaler, Palo Alto, Cisco, and others all sell AI security products. But they share a common architecture: your AI traffic gets routed through their cloud for inspection.

Netskope inspects your prompts in their cloud. Zscaler processes them through their Zero Trust Exchange. Palo Alto runs them through Prisma AIRS.

The irony writes itself: to protect your secrets from leaking to AI providers, you leak your secrets to a security vendor.

These tools also cost $200-536/user/year (Netskope pricing), with deployment timelines measured in months, not minutes.

CitrusGlaze takes a different approach:

  • Local-first: Your prompts never leave your device. Scanning happens on your machine.
  • Network-level: Catches CLI tools, SDKs, agents, and scripts — not just browsers.
  • 5-minute install: One command. No network infrastructure changes. No cloud configuration.
  • $10/user/month: Not $500/user/year.

Start Scanning

# Install and start scanning in under 5 minutes
bash install.sh
citrusglaze start

Your AI tools are sending more than you think. The question isn't whether your team has leaked a secret into an AI prompt. The question is whether you know about it.

Sources: Lasso Security 2025, Nightfall AI 2025, Harmonic Security 2025, Netskope Cloud & Threat Report 2025, IBM Cost of Data Breach Report 2025, CitrusGlaze Telemetry (26,565 intercepted requests)

CitrusGlaze is an open-source AI traffic proxy. See every AI request. Block what's dangerous. Keep what's productive.

← All posts Try CitrusGlaze →