ChatGPTやClaudeへAPIキーが漏れないように

Skip to contentsystem · operationalbuild / 5.1.7scope / 19 hostsegress / 0 callsblocked today / 0[ 0xVB·CRT ]Open source · 100% local · no accountStop pastingAPI keys intoChatGPT.VaultBix catches API keys, customer data, and proprietary code before they leave your browser. 100% local. No account.Open source · No tracking · Works on ChatGPT, Claude, Cursor, Copilot, Gemini, Perplexity + moreFor teams: audit logs · SSO · custom rules · coming soon/demo·01chatgpt.com / promptvaultbix · live1 scan · 1.0ms · local-onlyLive capture from a real prompt. Replay every 6s.★ 5.0 chrome web store100% localzero data collectionopen source§02 / The leak surfaceEngineers leaksecrets into AItools every day.Most teams have no defense. "Don't paste sensitive stuff" is not a security strategy. It's a hope.vector_0101API keysAWS keys, OpenAI tokens, GitHub PATs, Stripe live keys: all routinely pasted into ChatGPT for debugging help. Every paste is a one-way leak.$ grep -r 'sk-' ~/chats/*→ 47 matches in 12 filesvector_0202Customer dataPII, customer records, internal IDs, pasted into prompts without thinking about where it ends up.vector_0303Proprietary codeInternal architectures, business logic, security implementations: all shipped to AI providers' training pipelines.74%devs use AI daily38%admit pasting secrets0rotation after leak§03 / RuntimeHow VaultBix protects you.01/installInstall in 30 secondsFree Chrome extension. No account. No setup required.~ chrome web store › add to chrome02/scanWe scan, locallyDetects 45+ types of secrets (API keys, JWTs, SSNs, credit cards, private keys) using regex + entropy analysis. 100% local. Nothing sent to any server.~ regex + shannon entropy · runtime ≈ 1ms03/protectBlock, redact, or warnChoose your sensitivity. Strict mode blocks the request. Balanced warns on critical leaks. You stay in control.~ policy: strict | balanced | passive§04 / Pattern library45 detectionpatterns and counting.Each pattern is regex-anchored and entropy-checked. Every false-positive we hear about gets a unit test the same week.~/vaultbix/detect/patterns.ts15 activeAPI Keys07 patternsAKIA…AWS Access Keyssk-… sk-proj-OpenAI Keyssk-ant-…Anthropic Keysghp_…GitHub PATssk_live_…Stripe Live Keysglpat-…GitLab Tokensxoxb-…Slack Tokens+ 10 more patterns →Credentials04 patternseyJ…JWT Tokenspostgres://…DB Connection Strings-----BEGIN…Private Keys (SSH/RSA/PGP)Bearer …Auth TokensPersonal Data04 patterns###-##-####Social Security Numbers4… 5… 3…Credit Cards (Luhn-validated)user@…Email Addresses+1 (###)…Phone Numbers§05 / CoverageWorks whereyou work.Adding more sites monthly. Request one in our GitHub issues and we'll wire it up.host_permissions: 19 explicit hosts · no all_urls.§06 / Privacy postureYour secretsnever leaveyour browser.Three claims you can verify yourself. Click through to the file in the repo if you want the receipts.View source on githubclaim_01100% local detectionAll scanning happens in your browser using regex + entropy analysis. We don't send your prompts anywhere. Period.$ grep -rn 'fetch\|XMLHttpRequest' src/detect/→ 0 results · zero egress in detection pathclaim_02Hashed storageEven your local incident log uses SHA-256 hashes, never the raw secret values. PII gets zero prefix exposure.claim_03Open sourceRead the code yourself. Audit our network calls (there are zero for free users). Verify our claims are real.§07 / Org tier · in designBuilding a team planfor engineering orgs.Centralized policy controls, an org-wide incident dashboard, SSO, audit logs, custom detection rules, and SIEM integration. Coming soon for engineering teams.vaultbix / teamq3·202601Centralized policy controlsplanned02Org-wide incident dashboardplanned03SSO (Okta, Google, Entra)planned04Audit logs with hash-only eventsplanned05Custom detection rulesplanned06SIEM integration (Splunk / Datadog)planned§08 / MaintainersBuilt by twohigh schoolseniors.We're Carl Gao and Max Alexandre. We built VaultBix after watching engineers (including ourselves) paste real production secrets into ChatGPT while debugging.Five months and 45 detection patterns later, here we are. The product is open source because trust matters more than secrecy when you're in the business of handling secrets.§09 / FaqQuestions,answered.If something isn't covered here, ask in our GitHub issues or email [email protected]. We answer fast.q.01Is this really 100% local?Yes. Open the GitHub repo and search for "fetch" or "XHR" calls. The free version makes zero network requests for detection. Only the optional team tier syncs incident metadata (hashes only, never raw values) to a backend.q.02Why should I trust a Chrome extension?We use 19 specific host_permissions (chatgpt.com, claude.ai, etc.), not broad "all_urls". Only "storage" and "tabs" permissions. Open source so you can verify yourself.q.03Does this slow down my browser?No measurable impact. Detection runs in ~1ms per request on the page-world script.q.04What about Firefox?On the roadmap. Chrome first because that’s where adoption is.q.05How does this work with Cursor / Claude Code / Windsurf?Browser-based tools (chatgpt.com, claude.ai, gemini.com) are protected today. IDE-based agents are on the v5.2 roadmap.q.06Is the team plan available now?Coming soon. Email [email protected] to be a design partner.§10 / install30 seconds to install.Zero accounts.Zero data leaves your browser.

※ 著作権に配慮し、引用は冒頭3段落までです。続きは元記事をご覧ください。