Ghosthunt
@78degrees
Find every leaked secret on your machine. Scans .env files, shell history, and config directories for API keys, tokens, and credentials. 35+ patterns including AWS, Stripe, GitHub, OpenAI, and more. Everything runs locally. Zero network calls.
Overview
What is Ghosthunt?
Ghosthunt is an MCP server that scans your development machine for API keys, tokens, and credentials hiding in places like .env files, shell history, AWS/SSH/Docker configs, and more. Everything runs locally with no data leaving your machine.
How to use Ghosthunt?
Add Ghosthunt to your Claude Desktop config by specifying npx -y ghosthunt as the MCP server command, then ask Claude to scan for secrets. You can also run it directly from the terminal via npx ghosthunt. Two tools are available: scan_secrets for a full detailed scan and scan_summary for a quick health check.
Key features of Ghosthunt
- Scans 35+ secret patterns across common config files.
- Recursively finds
.envfiles under your home directory. - Checks shell history for pasted API keys.
- Reports severity ratings and remediation steps for each finding.
- Provides a health score (0–100) based on secret severity.
- Fully local: no data sent to any server or internet access.
Use cases of Ghosthunt
- Quickly assess if your machine has leaked credentials that need rotation.
- Perform a privacy-safe audit before sharing or deploying a project.
- Identify secrets accidentally committed or pasted into shell history.
- Get a one-click health check via Claude before starting security work.
FAQ from Ghosthunt
Does Ghosthunt send my data anywhere?
No. Ghosthunt runs entirely on your local machine. It does not send any data to any server, phone home, track usage, or access the internet. Scan results stay only in your Claude conversation.
What does Ghosthunt scan?
Ghosthunt scans environment files (.env, .env.local, etc.), AWS credentials, SSH keys, Docker config, npm/PyPI tokens, GitHub CLI OAuth tokens, shell history (bash, zsh, fish), Kubernetes config, netrc passwords, and more than 35 secret patterns including providers like AWS, Stripe, GitHub, OpenAI, Anthropic, Google, Slack, and Twilio.
How do I run a scan with Ghosthunt?
You can add Ghosthunt to Claude Desktop’s MCP configuration and ask Claude to “scan my machine for leaked secrets”. Alternatively, run npx ghosthunt directly from your terminal. Use scan_secrets for a full report or scan_summary for a quick health check.
What do the health scores mean?
Your score starts at 100 and is reduced based on finding severity: critical (−15), high (−8), medium (−3), and low (−1). A score below 50 indicates secrets that need immediate attention.
What should I do if Ghosthunt finds critical secrets?
Rotate critical secrets immediately from the provider’s dashboard. Clear your shell history of sensitive commands. Ensure your .env files are in .gitignore and audit them for any that should not be committed.