Docs / Controls / NC-SECRET-002
NC-SECRET-002

No API keys in shell history

๐ŸŸ  High ๐Ÿ”Œ Plugin Expanded ๐Ÿ“Š Contributes to expanded score

What this checks

Scans ~/.zsh_history and ~/.bash_history for API key and secret patterns that may have been passed as command-line arguments for example, curl -H "Authorization: Bearer sk-..." or OPENAI_API_KEY=sk-... python script.py. History files are read locally and nothing is transmitted.

Why it matters

Developers frequently type API keys directly into terminal commands during testing. Shell history is typically world-readable by default, persisted indefinitely, and often synced or backed up without consideration. Any key that appeared in a command line argument is in your history file and may have been there for months or years.

How to fix it

Step 1 Rotate any exposed keys immediately

Any key found in shell history should be treated as compromised. Rotate it in the provider's dashboard before doing anything else.

Step 2 Remove from history

# Clear in-memory history (current session):
history -c   # bash
fc -p        # zsh

# Manually edit the history file and remove the offending line:
nano ~/.zsh_history
# or
grep -n "sk-" ~/.zsh_history   # find line numbers, then delete them

Step 3 Prevent future exposure

Add a space before commands with secrets (bash/zsh ignores commands starting with a space if HISTCONTROL=ignorespace is set):

# Add to ~/.zshrc or ~/.bashrc:
export HISTCONTROL=ignorespace

# Now prefix sensitive commands with a space:
 OPENAI_API_KEY=sk-... python script.py   # note the leading space not saved to history

Better: use environment variables from a chmod 600 file or keychain, never inline in commands.

Technical details

FieldValue
Control IDNC-SECRET-002
DomainSECRETS
SeverityHigh
StatusExpanded (Plugin only)
Data sourceFilesystem scan ~/.zsh_history, ~/.bash_history (read-only)
ModeMode 2 (System-level requires plugin expanded mode)
Introduced inLibrary v0.2.0
OWASP LLM 2025LLM02: Sensitive Information Disclosure

False positive notes

Patterns matching test/example key formats (e.g. sk-test-..., sk-example-...) are excluded. If a legitimate match is not actually a live key, exclude this control.

Suppress this finding

clawvitals exclude NC-SECRET-002 reason "test key only already rotated"
โ† NC-SECRET-001 NC-TUNNEL-001 โ†’