Stop Claude Code from leaking your secrets — introducing sensitive-canary

#security

The problem

Claude Code is powerful. That's exactly what makes it risky.

Without realizing it, you might:

Ask Claude to "take a look at" your .env file
Paste an AWS key into the terminal for a quick sanity check
Let Claude run cat .env.production

All of these send your secrets and PII straight to the Anthropic API. Once they leave your machine, they're out of your hands.

And here's the part people miss: you don't have to type secrets into the prompt for them to leak. Claude Code autonomously reads files as context. It might pick up your .env without you asking. That's a vector most developers don't think about.

What sensitive-canary does

sensitive-canary is a zero-config, fully local Claude Code plugin that intercepts secrets and PII before they reach the API. No external servers. No configuration. No API keys.

cat .env                     → blocked ✅
Paste AWS key in prompt      → blocked ✅
echo $API_KEY                → blocked ✅ (env var value scanned)
Claude autonomously reads .env → blocked ✅

When a block triggers, you see exactly what was caught:

🐦 sensitive-canary: sensitive data detected — blocked

  [Secret] AWS Access Key ID (aws-access-key): AKIA****MPLE

Zero-config. Fully local.

sensitive-canary runs entirely on your machine. No data leaves to a third-party service. Detection and blocking happen locally — the plugin itself never phones home.

Install it in two commands and it starts protecting you immediately. No config files, no environment variables, no restart required.

Two hooks, two layers of protection

UserPromptSubmit hook — runs before every prompt is sent to the API. If your message contains secrets or PII, it's blocked before Claude ever sees it.

PreToolUse hook — runs before Claude uses the Read or Bash tool. This is the critical one.

Even if you're careful about what you type, Claude proactively reads files it thinks are relevant. This hook stops that at the source:

Blocks .env and .env.* files unconditionally by filename (before contents are ever read)
Scans file contents before Claude reads them
Catches inline secrets in Bash commands (echo AKIAIOSFODNN7EXAMPLE)
Looks up env vars referenced in commands and checks their actual values

What gets detected

29 secret types, sourced from gitleaks and TruffleHog detector definitions:

Category	Examples
Cloud	AWS Access Key ID
Source control	GitHub PAT, GitLab PAT, GitHub fine-grained token
AI services	Anthropic API key, OpenAI API key / project key
Communication	Slack token, Discord webhook, Telegram bot token
Payment	Stripe secret/restricted key, credit cards (Luhn-validated)
Email services	SendGrid, Mailgun, Mailchimp
Auth	JWT, PEM private keys, database connection strings

PII detection: email addresses, US SSNs, US/JP phone numbers, Japanese postal codes, private IPv4 addresses.

Entropy filtering reduces false positives — API_KEY=placeholder won't trigger a block.

Install in two commands

Inside a Claude Code session:

/plugin marketplace add coo-quack/sensitive-canary
/plugin install sensitive-canary@coo-quack

No restart, no config files, no API keys. Done.

When you need to share secrets intentionally

Add a tag to your prompt:

[allow-secret] Please review my .env.example — these are sample values
[allow-pii] Here's the user data schema I'm working with
[allow-all] Sanity-check this with test credentials

Tags apply only to the message they appear in. They don't carry over to the next turn.

Summary

Without sensitive-canary	With sensitive-canary
`cat .env` → full contents sent to Claude ❌	Blocked by filename before Claude reads it ✅
Paste `AKIAIOSFODNN7EXAMPLE` in prompt ❌	Blocked before the API call ✅
`echo $API_KEY` with live key ❌	Env var value scanned and blocked ✅
Claude autonomously reads `.env` as context ❌	Blocked at the PreToolUse hook ✅
Requires setup and external accounts ❌	Zero-config, fully local, no external calls ✅