You pasted a failing curl into Copilot chat to ask why it returns 401. The paste included the Authorization: Bearer eyJhb... header. Your token is now in the Copilot request log, and — depending on your org's settings — in a model provider's cache too. You didn't "leak" it in the old sense. No commit, no push, no public repo. But it left your machine.
This is the new leak vector. It's faster than git, it's invisible to repo scanners, and it's triggered by the exact behavior developers are told to do: "just paste the error into the assistant."
This is a playbook for closing the gap without turning AI assistants off.
The new vector nobody had in their threat model
Traditional secret hygiene assumes the attack surface is the repository. Pre-commit hooks, server-side scanners, push protection — all of these defend the moment code enters version control. AI assistant exposure happens before that. The prompt crosses the network seconds after you hit Cmd-V. The completion lands in your buffer before you save. The drag-and-drop ships the file before the scanner's next pass.
The new perimeter is the clipboard and the file picker. Anything that relies on catching secrets at commit time is one generation behind where the leakage is actually happening.
How an AI assistant actually sees your secrets
Four quiet pathways, all triggered by normal developer behavior:
-
Prompt paste. You copy an error from the terminal that still contains an
Authorization:header and paste it into the assistant to ask "why does this fail?" -
File drag. You drag
.env.local, a curl dump, or a log file into the assistant's context so it can "look at the real failure." - Completion echo. The model's training set memorized a lookalike token and suggests it inside your file. You accept the suggestion and it's now in your repo.
- Telemetry tail. Even when the prompt looked clean, the raw request body often still contains surrounding context — including the line after the one you meant to highlight.
None of these require a malicious assistant. Every one happens when a well-intentioned developer is trying to get unstuck quickly. That is exactly what makes the failure mode so persistent: the incentives push the wrong way.
The four failure modes, in order of frequency
From what we see in developer workflows, the same four patterns account for most accidental assistant exposures.
1. "Here is the error, help me fix it." The fastest way to get unblocked is to paste the whole failure. The whole failure often includes the request, the headers, and the body. One of those is almost always a bearer token.
2. "Look at this config and tell me what is wrong." Config files contain secrets by definition. Dragging .env, docker-compose.yml, or a Terraform var file into an assistant hands over every credential in one move.
3. Accepted completions that memorized a key. Models occasionally regurgitate high-entropy strings that look like plausible values. If you accept the suggestion, the key lands in your repo — and if it ever matched a real one, you now have a secret you did not even type.
4. Shared transcripts. Assistant UIs make it easy to share a thread with a teammate. The thread often contains the paste from failure mode #1. Now the token is in two chat histories instead of one.
Every one of these failures starts upstream of the assistant. The assistant is the amplifier. The fix has to live where the copy happens, not where the paste lands.
The quarantine pattern: block at paste, not at push
Outright blocking every suspicious value breaks flow and trains developers to disable the tool. The pattern that sticks is quarantine: when a secret-shaped value lands on the clipboard, it silently goes into a separate vault instead of the default history. Pasting still works for the last non-secret value. The suspect item is reachable on demand with an explicit opt-in.
Five principles:
- Capture on clipboard change, not on keystroke. The only moment the full value is guaranteed to exist in one piece is when it lands on the clipboard.
- Run shape detectors locally and fast. Regex plus entropy plus known prefixes. No ML, no round-trip. A secret classifier that needs a network call is a classifier that will be turned off.
- Quarantine, do not delete. Deletion is loud and lossy. Quarantine keeps the value reachable for the 1% of cases where you actually meant to paste it — and invisible for the 99% where you didn't.
- Notify once, unobtrusively. A small, non-blocking notification is the ideal UX. Loud modals train people to dismiss them reflexively.
- Audit weekly. The quarantine is your "things I almost leaked" inbox. A one-minute weekly review is enough to catch drifting habits before they become incidents.
Shape detectors that actually work in 2026
A practical secret classifier is a small bundle of rules, not a model. Here are the categories every developer-facing clipboard layer should recognize.
| Category | Shape clue | Why it matters for AI paste |
|---|---|---|
| Provider tokens |
ghp_, github_pat_, sk-, xoxb-, AKIA, AIza
|
Most commonly regurgitated by assistants |
| JWTs / bearer tokens | Three base64url segments separated by .
|
Ship inside Authorization headers |
| Private keys |
-----BEGIN ... PRIVATE KEY----- blocks |
Drag-and-drop of key files into assistants |
| Database URLs |
postgres://user:pass@host, mongodb+srv://...
|
Password-in-URL strings leak on connection errors |
| Env-var dumps | Multi-line KEY=value with high-entropy values |
The canonical "paste my .env" failure mode |
| High-entropy blobs | Length ≥ 32, Shannon entropy ~3.5+, no whitespace | Safety net for unknown token formats |
Every rule above runs in under a millisecond on a modern laptop. There is no excuse for doing detection in the cloud.
The three-layer workflow
A realistic 2026 defence is not a single tool. It is three layers that overlap:
Layer 1 — Clipboard quarantine. Detect and divert secret-shaped items the moment they land on the clipboard, before any editor, prompt box, or drag-and-drop handler can see them.
$ cg vault list
1 [quarantined] gh**********************YwK3 (2m ago)
2 [quarantined] sk-************************Qa (14m ago)
3 [quarantined] postgres://***:***@db... (1h ago)
Layer 2 — Editor awareness. Configure your assistant to exclude .env*, private keys, and anything under a secrets/ directory from both chat context and completion.
# .cursorignore / .copilotignore
.env
.env.*
**/secrets/**
**/*.pem
**/*.key
logs/*.log
Layer 3 — Repo-level scanning. Keep pre-commit hooks, push protection, and server-side scanning on. They are still your last line for the cases layers 1 and 2 miss.
pre-commit install
gh repo edit --enable-secret-scanning
gh repo edit --enable-push-protection
Any one of these layers is better than none. All three together make the accidental exposure path effectively closed for day-to-day work, while leaving the deliberate "I know what I am doing" path open.
Where ClipGate fits
ClipGate runs at Layer 1. Every clipboard copy is inspected locally against the shape detectors above. Anything that matches goes into the quarantine vault instead of the default history, with a small notification and an explicit command to retrieve it. Nothing leaves your machine. No telemetry, no sync, no account.
The short version: stop secrets at the clipboard, not at the commit. That is where AI assistants actually read from — and it is the one layer where a fast, local detector is the right answer.
FAQ
Q: Can GitHub Copilot or Cursor leak my API keys?
A: Not by design, but yes in practice. If a key lands in a file the assistant indexes, or in a prompt you type, it can show up in completions, be sent to the inference endpoint, or end up cached in telemetry. The cleanest defence is to never let the key touch the editor or the clipboard in a form the assistant can read.
Q: Are AI assistants actually a bigger leak vector than traditional commits?
A: They are a faster one. Traditional commits leave git history you can audit. Assistant prompts and completions are ephemeral and often cross the network before any scanner has a chance to flag them. The exposure window can be measured in seconds.
Q: Does a clipboard manager help if the secret is already in the editor?
A: It helps upstream: most editor exposures start with a paste. If the clipboard layer quarantines secret-shaped items before they ever hit the editor buffer, the assistant cannot see what was never there.
Q: Do I need a separate vault for secrets, or is my password manager enough?
A: Password managers are optimized for login credentials, not for the throwaway tokens developers juggle all day. A dedicated secret quarantine in the clipboard layer catches the category of values that never should have been copied at all.
Q: Is local-only enough, or do I also need secret scanning on my repos?
A: Both. Repo scanning catches what already landed in git. Local clipboard hygiene catches what never should have left the workstation. Defence in depth means the same token gets blocked at paste time, at commit time, and at push time.
Install ClipGate
Works on macOS, Linux, and Windows. Chrome extension optional. No account, no cloud.
Originally published on the ClipGate blog.
Top comments (0)