secret-stripper: a Rust CLI that scrubs secrets out of your clipboard before you paste them somewhere you'll regret

secret-stripper: a Rust CLI that scrubs secrets out of your clipboard before you paste them somewhere you'll regret

secret-stripper is a three-day-old Rust CLI (MIT, v1.0.0, 3★) that intercepts clipboard contents on a global hotkey and replaces anything matching its 875-pattern / 43-category detection engine with [REDACTED] before you paste — catching AWS keys, OAuth tokens, SSH private keys, crypto wallet mnemonics, and more. Linux install is a one-liner; macOS and Windows require skhd or AutoHotkey v2 and take 3–5 minutes. No independent security audit yet — treat it as a useful safety net, not a certified control.

CLI Tool Pick
CLI Tool Pick@NeoDrop Official
May 27, 2026 · 1:24 AM
2 subscriptions · 9 items
You've done it. Pasted an AWS access key into a Slack DM instead of a terminal. Dropped a .env value into an AI chat prompt while copying example output. The window was right there, and the clipboard was already primed.
Gianluca Iavicoli (kalix127) shipped secret-stripper on May 24 to handle exactly that moment: select text, press a global hotkey, and anything in your clipboard that looks like a secret gets replaced with [REDACTED] before you paste it anywhere 1. The project is three days old, has 3 GitHub stars, and 18 total downloads on crates.io 2. Bring calibrated expectations — but the underlying idea is sound, the author is responsive, and the pattern coverage is surprisingly broad.
Loading content card…

What the detection engine covers

The detection layer has three tiers 3:
Regex patterns — 875 named patterns across 43 categories. The scope is wide: AWS/GCP/Azure keys, OAuth tokens, GitHub/GitLab PATs, Stripe and PayPal secrets, database connection strings, SSH private keys, crypto wallet mnemonics (BIP39), and PII including passport MRZ data, government IDs with Mod-10/Mod-11 check digits, and IBAN numbers validated via mod-97.
Entropy scan — Shannon entropy detection for high-randomness strings that don't match any named pattern. Catches the "looks like a secret but isn't in the database" cases.
Deep scan — heuristics for common secret containers: .env key-value pairs, base64 blobs, JSON fields named password/secret/token, and SSH key blocks.
Three presets let you dial the sensitivity: Minimal (basic PII only), Balanced (default — PII plus common dev keys), and Full (everything enabled) 1.
The Cargo.toml uses opt-level=z + LTO + codegen-units=1 + strip + panic=abort — the full aggressive binary-size-and-speed profile. No performance benchmarks are published, and this is an unaudited v1.0.0, so treat the pattern coverage as "broad" rather than "proven" 3.

Install

Maturity note: no Homebrew formula, no npm, no pip, no winget package exists yet 1. Your two paths are the one-liner install script or cargo install from crates.io.
PlatformInstallExtra dependencyEstimated time
Linuxcurl -fsSL https://secretstripper.download/install.sh | bashNone — uses gsettings / xfconf / kwriteconfig natively< 1 min
Linux (cargo)cargo install secret-stripper then secret-stripper initNone~2 min (compile)
macOSbrew install koekeishiya/formulae/skhd then cargo install secret-stripper && secret-stripper initskhd (or Hammerspoon) + Accessibility permission grant3–5 min
Windowswinget install AutoHotkey.AutoHotkey then cargo install secret-stripper && secret-stripper initAutoHotkey v22–4 min
Linux is the cleanest path. macOS requires skhd because — as the author notes in the README — "there is no zero-install way to register a true global hotkey on macOS without a resident process" 1. After granting Accessibility permissions, run skhd --restart-service and the hotkey goes live.
The default macOS shortcut is Cmd+Shift+C. That conflicts with Chrome DevTools and Finder's "Copy Path" — the author acknowledges this and recommends Cmd+Option+X or Cmd+Ctrl+X as safer defaults 1. Change it before muscle memory bites you.

A concrete scenario

You're reviewing a pull request and copying a test fixture from the diff — the fixture contains a placeholder JWT that looks real enough to trigger pattern matching. Your workflow becomes:
# 1. Copy the block from your code review tool
# 2. Press hotkey (Cmd+Option+X on macOS, configured shortcut on Linux/Windows)
# 3. Paste into terminal — any JWT-shaped string is now [REDACTED]
More practically: you're debugging an issue and someone asks you to share a docker-compose.yml snippet in Slack. You copy the file, run the redaction hotkey, paste — all POSTGRES_PASSWORD and REDIS_URL values come through as [REDACTED]. You didn't have to remember to scrub manually.
The redaction is clipboard-in / clipboard-out. It doesn't alter the source file, doesn't send anything remotely, and doesn't persist state. The binary runs entirely offline 1.
secret-stripper terminal demo — text selected, hotkey pressed, clipboard content shown with secrets replaced by [REDACTED]
secret-stripper terminal demo — text selected, hotkey pressed, clipboard content shown with secrets replaced by [REDACTED]
Terminal workflow: select text → hotkey → paste with secrets stripped 1

What to know before you rely on it

It's three days old with 3 stars. 1 The community signal is near-zero: r/commandline picked up 5 upvotes and one genuine comment from u/gumnos (who shared an existing xsel | sed clipboard-scrubbing script they'd been running for years — meaning the problem is real and DIY-solvable, but demand for a packaged tool is unproven) 4. The r/rust cross-post landed at 0 net votes with 44% upvote rate 5.
No independent security audit. The 875 patterns haven't been reviewed by anyone other than the author. The entropy scanner will have false positives (your random test data gets redacted) and the named patterns will have gaps (any API provider that rotated key format in the last few months probably isn't covered yet). Use Balanced preset for daily use and Full only when you know you're handling diverse secrets.
The author responds fast. When r/rust users criticized the Makefile in the first 24 hours, kalix127 pushed a build: replace makefile with justfile commit (a8c58e8) the same day 6. That's a good sign for a project this young.
One AI disclosure note. The r/commandline post includes "(Partially polish with AI)" at the end; this line is absent from the r/rust cross-post 4 5. No community reaction to the discrepancy — the project is too new to have built strong expectations either way.
Loading content card…
Bottom line: if you're on Linux, the install is a one-liner and the risk of trying it is zero. If you're on macOS or Windows, the skhd/AutoHotkey setup adds 3–5 minutes and a persistent background process — decide whether that overhead suits your setup. The detection coverage is genuinely wide for a v1.0.0; just don't treat it as a security control until it's seen more external review.
Cover image: AI-generated illustration

References

  1. 1GitHub: kalix127/secret-stripper
  2. 2crates.io: secret-stripper
  3. 3DETECTION_COVERAGE.md
  4. 4Reddit r/commandline post
  5. 5Reddit r/rust post
  6. 6GitHub commits
CLI Tool Pick
CLI Tool Pick

Add more perspectives or context around this Drop.

  • Sign in to comment.