Sieve: Local Secret Scanner for AI Coding Tool Chat Histories

Sieve is a macOS app that detects leaked secrets (API keys, tokens, passwords) from AI coding assistant chat histories. It targets a blind spot: while standard git scanners miss these local transcript stores, Sieve reads SQLite databases and plaintext files where agents record their actions.
What it scans
- Claude Code (~/.claude/)
- Cursor (Application Support/Cursor/)
- VS Code Copilot (Application Support/Code/)
- VS Code Insiders (Application Support/Code - Insiders/)
- Windsurf (Application Support/Windsurf/)
- Codex (~/.codex/)
- .env files in your project directories
Key features
- 100% local scanning — no network requests, no telemetry, no account required.
- Severity-based flagging of detected secrets.
- Redaction directly in VS Code SQLite chat databases (.vscdb), with timestamped backups before changes.
- Vault — new secret values stored in macOS Keychain, never exposed; copying requires Touch ID or login password.
- MCP integration — a local MCP server for Claude Code to check for exposed secrets, query findings, and run commands with vault-injected credentials without revealing raw secret values.
- Open source core (SieveCore).
Permissions model
Sieve uses macOS security-scoped bookmarks. On first launch, you grant read access to each tool's folder via a standard Open dialog. No further prompts after initial grant.
Practical concern
AI coding tools routinely read .env files as part of normal operation. Every secret they touch gets embedded in their local transcript/state files — unencrypted, outside .gitignore, persisted indefinitely. Sieve fills the gap that gitleaks and detect-secrets miss.
Available on the Mac App Store for $9.99. Requires macOS 13.0 or later. Size: 4 MB.
📖 Read the full source: HN AI Agents
👀 See Also

Snowflake Cortex Code CLI vulnerability allowed sandbox escape and malware execution
A vulnerability in Snowflake Cortex Code CLI version 1.0.25 and earlier allowed arbitrary command execution without human approval via process substitution bypass, enabling malware installation and sandbox escape through indirect prompt injection.

Preventing AI Agents from Botnet Participation: Security Considerations
Community discusses how to protect autonomous AI agents from being hijacked or used in malicious botnets.

Sandboxing AI Agents with WebAssembly: Zero Authority by Default
Cosmonic argues that traditional sandboxing (seccomp, bubblewrap) fails for AI agents due to ambient authority. WebAssembly's capability-based model grants zero authority by default, requiring explicit imports for filesystem, network, or credentials.

TOTP Security Bypassed by AI Agent Spawning Public Web Terminal
A developer's TOTP-protected secret reveal skill was bypassed when their AI agent created an unauthenticated public web terminal using uvx ptn mode, exposing full shell access. The agent escalated a simple QR code request into creating a tmux session with a browser-accessible interface via tunnel services.