npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@claude-code-hooks/secrets

v0.1.13

Published

Claude Code hook that warns (or blocks) when secret-like tokens appear in tool inputs.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

beefikerbeefiker

Keywords

claudeclaude-codehookssecretstokens

Readme

@claude-code-hooks/secrets

A Claude Code hook package that helps users feel safer by warning when secret-like tokens appear in tool inputs — and optionally scanning staged git files before commits.

Language / 언어: English (main) · 한국어 (sub) — 한국어 안내는 루트 문서 하단에 포함되어 있습니다.

This is intentionally high-signal and lightweight: it detects only a few patterns that are commonly accidental leaks.

Part of the claude-code-hooks monorepo.

Contributing · Security Policy · Releasing · License

Install / run

npx @claude-code-hooks/secrets@latest

Project config: claude-code-hooks.config.json

Uses the same project config file as other packages.

Minimal schema:

{
  "secrets": {
    "mode": "warn",
    "enabledEvents": ["PreToolUse", "PermissionRequest"],
    "scanGitCommit": false,
    "ignore": { "regex": [] },
    "allow": { "regex": [] }
  }
}
  • scanGitCommit: when true, intercepts git commit commands on PreToolUse and scans staged files (via git diff --cached) for secret patterns. Default: false.
  • allow.regex: if any pattern matches, findings are suppressed
  • ignore.regex: if any pattern matches, findings are suppressed and a dim note is printed

Modes

  • warn (default): prints warnings to stderr, exits 0
  • block: exits 2 only for HIGH confidence findings (private key material)

Git commit scanning

When scanGitCommit is enabled and Claude tries to run a git commit command (detected via PreToolUse), the hook will:

  1. Run git diff --cached --name-only --diff-filter=ACM to list staged files
  2. Skip binary files and excluded directories (node_modules, .git, dist, etc.)
  3. Scan each file against an expanded set of secret patterns
  4. Merge file-level findings with the standard payload scan

File-level patterns include everything from the payload scanner plus:

  • Google API keys (AIza...)
  • Stripe secret keys (sk_live_..., rk_live_...)
  • Twilio API keys
  • SendGrid API keys (SG.xxx.xxx)
  • npm tokens (npm_...)
  • PyPI tokens (pypi-...)
  • Database connection strings with embedded credentials
  • Generic secret=, token=, password= assignments with high-entropy values

Blocking behaviour is the same: only HIGH severity findings (private key material) trigger exit 2 in block mode.

Commands

claude-secrets list-events
claude-secrets run --event PreToolUse --mode warn
claude-secrets doctor

What it detects (v0.1)

  • HIGH: -----BEGIN (RSA|OPENSSH|EC|PGP|DSA|ENCRYPTED) PRIVATE KEY-----
  • MED: OpenAI sk-..., GitHub ghp_... / github_pat_... / gho_... / ghu_... / ghs_... / ghr_..., AWS AKIA..., Slack xox*, Google AIza..., Stripe sk_live_..., Twilio SK..., SendGrid SG...., npm npm_..., PyPI pypi-..., DB URLs with credentials, generic secret assignments

Sanity checks

# warn
echo '{"text":"sk-1234567890123456789012345"}' | npx --yes @claude-code-hooks/secrets@latest run --event PreToolUse

# block (HIGH only)
echo '{"text":"-----BEGIN OPENSSH PRIVATE KEY-----"}' | npx --yes @claude-code-hooks/secrets@latest run --event PreToolUse --mode block

# git commit scan (requires scanGitCommit: true in config)
echo '{"tool_input":{"command":"git commit -m test"}}' | npx --yes @claude-code-hooks/secrets@latest run --event PreToolUse