Security: Exposed Groq API Key in .env

[zscole]

Security Alert: Exposed API Key Detected

Hi there,

I'm Zak Cole, a security researcher. I run automated scans to help developers identify accidentally exposed API credentials before malicious actors find them.

What I Found

File: .env
Key Type: Groq
Exposed Key (redacted): gsk_14VI********************************************wDeu

Why This Matters

Exposed API keys can lead to:

• Unauthorized charges on your account (AI API calls can get expensive fast)
• Data exfiltration if the key has access to your resources
• Abuse of your account for spam, attacks, or other malicious activity

Recommended Actions

1. Immediately revoke this key in your Groq dashboard
2. Generate a new key and store it securely (environment variables, secrets manager)
3. Check your usage for any unauthorized activity
4. Add .env to your .gitignore to prevent future leaks

How to Store Secrets Properly

# .gitignore
.env
.env.*
*.env

Load from environment instead of hardcoding:

import os
api_key = os.environ.get("API_KEY")

---

This is an automated disclosure from a public service I run to help secure the open source ecosystem. No keys were stored or used, only pattern-matched and reported.

Need help building a secure application? I'm available for consulting and development work. Reach out if you want help shipping something that doesn't leak credentials.

Follow for more security content:

• Me: x.com/0xzak | crap.dev
• My company: Number Group | x.com/numbergroupxyz

Stay safe!

[github-actions]

Thank you for raising this issue!

We'll review it as soon as possible. We truly appreciate your contributions! ✨

Meanwhile make sure you've visited the README.md, CONTRIBUTING.md, and CODE_OF_CONDUCT.md before creating a PR for this. Also, please do NOT create a PR until this issue has been assigned to you. 😊