npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

secretless-ai

v0.14.0

Published

One command to keep secrets out of AI. Works with Claude Code, Cursor, Copilot, Windsurf, and any AI coding tool.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

ecolibriaecolibria

Keywords

aisecretscredentialssecurityclaudecursorcopilotwindsurfclineaidermcpmcp-securitymcp-secrets

Readme

OpenA2A: CLI · HackMyAgent · Secretless · AIM · Browser Guard · DVAA

secretless-ai

npm version License: Apache-2.0 Tests

Keep API keys and secrets invisible to AI coding tools. Works with Claude Code, Cursor, GitHub Copilot, Windsurf, Cline, and Aider.

Quick Start

npx secretless-ai init
  Detected:  Claude Code, Cursor
  Protected: .env, .aws/credentials, *.key, *.pem (21 file patterns)
  Blocked:   49 credential patterns from AI context
  Done.      Secrets are now invisible to AI tools.

Secretless AI Demo

For a full security dashboard covering credentials, shadow AI, config integrity, and more:

npx opena2a-cli review

MCP Server Protection

Every MCP server config has plaintext API keys in JSON files on your machine. The LLM sees them. Secretless encrypts them.

npx secretless-ai protect-mcp
  Scanned 1 client(s)

  + claude-desktop/browserbase
      BROWSERBASE_API_KEY (encrypted)
  + claude-desktop/github
      GITHUB_PERSONAL_ACCESS_TOKEN (encrypted)
  + claude-desktop/stripe
      STRIPE_SECRET_KEY (encrypted)

  3 secret(s) encrypted across 3 server(s).
  MCP servers start normally -- no workflow changes needed.

Scans configs across Claude Desktop, Cursor, Claude Code, VS Code, and Windsurf. Secrets move to your configured backend. Non-secret env vars (URLs, regions) stay untouched.

npx secretless-ai protect-mcp --backend 1password  # Store MCP secrets in 1Password
npx secretless-ai mcp-status                       # Show which servers are protected
npx secretless-ai mcp-unprotect                    # Restore original configs from backup

How It Works

  1. Scans your project for hardcoded credentials in config files and source code (49 patterns across .js, .ts, .py, .go, .java, .rb, and more)
  2. Migrates them to secure storage (OS keychain, 1Password, Vault, GCP Secret Manager)
  3. Blocks AI tools from reading credential files (21 file patterns)
  4. Brokers access through environment variables -- secrets never enter AI context

Use Cases

Step-by-step guides for common workflows: docs/USE-CASES.md

Supported Tools

| Tool | Protection Method | |------|------------------| | Claude Code | PreToolUse hook (blocks reads before they happen) + deny rules + CLAUDE.md | | Cursor | .cursorrules instructions | | GitHub Copilot | .github/copilot-instructions.md instructions | | Windsurf | .windsurfrules instructions | | Cline | .clinerules instructions | | Aider | .aiderignore file patterns |

Claude Code gets the strongest protection because it supports hooks -- a shell script runs before every file read and blocks access at the tool level.

Storage Backends

| Backend | Storage | Best For | |---------|---------|----------| | local | AES-256-GCM encrypted file | Quick start, single machine | | keychain | macOS Keychain / Linux Secret Service | Native OS integration | | 1password | 1Password vault | Teams, CI/CD, multi-device | | vault | HashiCorp Vault KV v2 | Enterprise, self-hosted | | gcp-sm | GCP Secret Manager | GCP-native workloads |

npx secretless-ai backend set 1password              # Switch backend
npx secretless-ai migrate --from local --to 1password # Migrate existing secrets

NanoMind Integration

Optional integration with NanoMind for enhanced security analysis:

npm install @nanomind/guard @nanomind/engine  # Optional
  • MCP injection screening: protect-mcp screens env var values for prompt injection patterns and warns when suspicious content is detected
  • Rich scan explanations: scan --explain generates context-aware security explanations for each finding using NanoMind's local inference engine

Both features gracefully degrade when NanoMind packages are not installed.

Using with opena2a-cli

opena2a-cli unifies all OpenA2A security tools:

npm install -g opena2a-cli
opena2a review          # Full security dashboard
opena2a secrets init    # Initialize secretless protection

Development

npm run build && npm test    # 809 tests

License

Apache-2.0

Part of the OpenA2A ecosystem. Full reference: opena2a.org/docs/secretless