npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

cleanmyprompt

v1.4.3

Published

Scan, redact, and squeeze code before it reaches an LLM. Blocks API keys, secrets, and PII in real time. Cuts token costs 30–70% with smart compression. Git hooks, CI/CD, SARIF, watch mode. Free for personal use — commercial license for teams.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

cleanmypromptcleanmyprompt

Keywords

securitysecretspiiredactcopilotai safetytoken compressiontoken reductiongit hookscigdprhipaaapi key scannersecret scannerllmprompt securitysarifgithub actionspre-commitdata protectionopenaicopilot securityai firewallcredential scanner

Readme

CleanMyPrompt CLI

Stop leaking secrets to AI. Stop burning tokens. Ship safer code, faster.

npm version License

CleanMyPrompt is a developer security and token-efficiency CLI. It scans your code for secrets, credentials, and PII before they reach an LLM — and compresses token-heavy files by 30–70% using a smart multi-pass squeeze engine. Runs 100% locally. Zero network calls. Zero telemetry.

Works standalone, in git pre-commit hooks, and in GitHub Actions CI/CD pipelines. Outputs SARIF for GitHub Advanced Security integration.

Install

# Global (recommended — use in git hooks and daily workflow)
npm install -g cleanmyprompt

# One-off without installing
npx cleanmyprompt scan .

Commands

scan — Detect secrets, API keys, PII, and credentials

cleanmyprompt scan .                         # scan entire project
cleanmyprompt scan src/ lib/                 # scan specific directories
cleanmyprompt scan --staged                  # only git-staged files (pre-commit)
cleanmyprompt scan --severity error          # HIGH severity only
cleanmyprompt scan --sarif > results.sarif   # SARIF v2.1.0 for GitHub Security tab
cleanmyprompt scan --json                    # structured JSON for pipelines
cleanmyprompt scan --github-annotations      # GitHub Actions ::error annotations
cleanmyprompt scan --watch                   # re-scan on every file save
cleanmyprompt scan --interactive             # review each finding: redact / skip / quit
cleanmyprompt scan --ignore "tests/** fixtures/**"

Detects 35+ patterns including:

  • OpenAI, Anthropic, Stripe, AWS, GitHub, Google, Azure API keys
  • JWT tokens, Bearer tokens, PEM/SSH private keys
  • Database connection strings with embedded credentials
  • Email, phone (international), US SSN, credit card (Luhn-validated), IBAN
  • Hardcoded passwords in JS/TS, Python, Go, Ruby, YAML, SQL, Shell

SARIF output uploads directly to GitHub's Security → Code scanning tab:

- name: CleanMyPrompt Security Scan
  run: npx cleanmyprompt scan . --sarif > results.sarif
- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

Watch mode re-scans every time you save a file — gives you a live security feed as you write code:

cleanmyprompt scan src/ --watch
# ✔  Watching 47 files. Re-scanning on change…
# ⚠  src/config.ts changed — 1 new HIGH finding

Interactive mode steps through each finding and lets you decide:

cleanmyprompt scan . --interactive
# [1/3] OPENAI-KEY in src/api.ts:14
#   sk-proj-abc123...
# [r]edact / [s]kip / [q]uit › r

fix — Auto-redact secrets in place

cleanmyprompt fix .                          # redact all findings across project
cleanmyprompt fix src/config.ts              # single file
cleanmyprompt fix --staged                   # only staged files
cleanmyprompt fix --dry-run                  # preview without writing

Replaces each finding with a safe tagged placeholder:

OPENAI_API_KEY=sk-proj-abc123     →     OPENAI_API_KEY=[OPENAI-KEY]
[email protected]              →     [EMAIL]
postgres://user:pass@host/db      →     [CONNECTION-STRING]

squeeze — Cut LLM token costs by 30–70%

cleanmyprompt squeeze src/api.ts             # safe mode (default)
cleanmyprompt squeeze src/api.ts --level aggressive
cleanmyprompt squeeze src/api.ts --stats-only
cleanmyprompt squeeze src/ --level aggressive

The 11-pass compression engine removes what an LLM doesn't need:

| Pass | What it removes | |------|----------------| | 1 | License / copyright headers | | 2 | JSDoc / TSDoc blocks → single-line summaries | | 3 | Block comments (/* */, """ """, <!-- -->) | | 4 | Whole-line comments | | 5 | Debug/log statements (console.log, print, logger.debug) | | 6 | Multi-line import collapse | | 7 | Unused named imports | | 8 | 4-space → 2-space indent | | 9 | Trailing whitespace | | 10 | Blank-line collapse (3+ → 1) | | 11 | Interface/type block compression (aggressive only) |

Animated progress bar shows each pass as it runs. Final output includes a styled results table with colour-coded savings.

Typical results on real codebases:

Before:   4,218 tokens
After:    1,391 tokens
Saved:    2,827 tokens (67%)

install-hook — Block secrets at commit time

cleanmyprompt install-hook                   # blocks commits with HIGH findings
cleanmyprompt install-hook --severity warning
cleanmyprompt install-hook --exit-zero       # report-only, never blocks
cleanmyprompt install-hook --force           # overwrite existing hook
cleanmyprompt uninstall-hook

Every git commit runs cleanmyprompt scan --staged. If HIGH severity secrets are detected, the commit is blocked with clear instructions on how to fix them.

GitHub Actions

Add to .github/workflows/cleanmyprompt.yml to scan every push and pull request:

name: CleanMyPrompt Security Scan

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions:
  contents: read
  security-events: write
  pull-requests: write

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      # Option A — use the bundled composite action
      - uses: cleanmyprompt/cleanmyprompt/.github/actions/scan@main
        with:
          severity: error
          exit-zero: 'false'

      # Option B — SARIF upload to GitHub Security tab
      - run: npx cleanmyprompt scan . --sarif > results.sarif
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

Action outputs: total-findings · high-findings · medium-findings

When HIGH severity findings appear in a PR, the action posts an automatic inline comment listing each finding and how to resolve it.

Config file

Create .cleanmyprompt.json in your project root to set defaults:

{
  "ignore": ["tests/**", "fixtures/**", "*.example"],
  "minSeverity": "error",
  "exitZero": false
}

Exit codes

| Code | Meaning | |------|---------| | 0 | No findings at or above threshold (or --exit-zero) | | 1 | Findings found | | 2 | Usage/config error |

VS Code Extension

Use CleanMyPrompt inside VS Code for real-time inline warnings, one-click redact, LSP-aware token squeeze, and the @cleanmyprompt Copilot Chat participant.

Install from the VS Code Marketplace →

Features available in the extension (not in the CLI):

  • Real-time inline squiggles as you type
  • Secret propagation graph across your workspace
  • Token cost inlay hints per function and class
  • Explorer tree risk badges (🔴/🟡 per file)
  • Animated token counter in the status bar
  • Session compliance report (GDPR/HIPAA/SOC2)

Enterprise & Teams

Need team-wide custom rule sets, audit log exports, SSO integration, SIEM forwarding, or on-prem deployment?

Contact us at cleanmyprompt.io

License

Free for personal and open-source use.

| Use case | License required | |---|---| | Individual developer, personal projects | ✅ Free — no action needed | | Open-source projects (public repo) | ✅ Free — no action needed | | Internal tooling at a company (any size) | 💼 Commercial license required | | Integrating into a commercial product or SaaS | 💼 Commercial license required | | CI/CD pipelines at a business | 💼 Commercial license required | | Reselling or redistributing | 💼 Commercial license required |

Commercial licenses are per-seat or site-wide. Get in touch →

The full legal text is in LICENSE.

Links