QuellStop API keys and passwords leaking into AI tools. Quell redacts secrets before they reach Copilot, Cursor, or Windsurf — 100% offline, zero telemetry. Installation Launch VS Code Quick Open ( Ctrl+P), paste the following command, and press enter.Copied to clipboard |
Quell
Stop leaking secrets to AI. Quell intercepts your prompts, scans for API keys, tokens, passwords, and connection strings — and replaces them with secure placeholders before the AI ever sees them. Real values are stored safely in your OS Keychain.
🚨 The ProblemEvery time you paste code into an AI chat (Copilot, Cursor, Windsurf, Antigravity), secrets get silently transmitted to cloud-hosted models:
Quell is the security layer between you and the AI. ⚡ How It Works
✨ Features📋 Copy Redacted (
|
| Category | Examples |
|---|---|
| Cloud | AWS (AKIA...), Google Cloud, Azure |
| AI/ML | OpenAI, Anthropic, Hugging Face, Gemini |
| Payments | Stripe (sk_live_...), Square, PayPal |
| Version Control | GitHub PATs, GitLab, Bitbucket |
| Communication | Slack, Discord, Telegram, Twilio |
| Databases | PostgreSQL, MongoDB, Redis, MySQL URIs |
| Auth | JWTs, Bearer tokens, Basic Auth, OAuth |
| Crypto | RSA, EC, OpenSSH, PGP private keys |
| Hosting | Vercel, Netlify, Heroku, DigitalOcean, Fly.io |
| BaaS | Supabase (sb_publishable_..., sb_secret_...) |
| + 30 more | SendGrid, Shopify, Datadog, NPM, PyPI... |
📊 Shannon Entropy Analysis
Catches high-randomness tokens that don't match any known pattern — configurable threshold and minimum token length.
🤖 AI Indexing Shield
One-click toggle that generates .cursorignore, .windsurfignore, .antigravityignore, .aiderignore, and .aiignore files — blocking AI IDEs from silently indexing your secret files.
⚡ Clipboard Sentry & Auto-Sanitize
Passive clipboard monitoring that warns you within 1 second when a secret is on your clipboard. Enable Auto-Sanitize from the sidebar dashboard to automatically replace clipboard secrets with safe placeholders — so even a regular Ctrl+V into Cursor or Windsurf chat is safe.
🔍 Live Editor Diagnostics
Exposed secrets are highlighted with yellow squiggly underlines in real-time as you type. They appear in VS Code's Problems panel. Click the 💡 lightbulb (or Ctrl+.) for a one-click Quick Fix to redact them instantly.
🔒 Secure Storage
Secrets stored in your OS Keychain via VS Code's SecretStorage API (Windows Credential Manager / macOS Keychain / libsecret). Never written to disk in plaintext. Restorable anytime.
📝 Inline Decorations
{{SECRET_xxx}} placeholders get orange dashed borders and 🔒 icons in the editor. Hover for restore options.
💬 Chat Participant (@quell)
Talk to @quell in VS Code's chat panel. Every prompt is scanned before it reaches the AI. Use /context to safely share .env file structure.
⚠️ Smart Save Warnings
Get notified when saving a file that still contains raw secrets — with a one-click "Redact Now" option. Dismiss warnings per-file for the rest of your session. They only come back if you add new secrets to that file.
⚙️ Configuration
| Setting | Default | Description |
|---|---|---|
quell.enableEntropyScanning |
true |
Enable Shannon Entropy analysis |
quell.entropyThreshold |
4.5 |
Minimum entropy to flag (2.0–7.0) |
quell.minimumTokenLength |
20 |
Minimum token length for entropy scanning |
quell.customPatterns |
[] |
Custom regex patterns ([{name, regex}]) |
quell.whitelistPatterns |
[] |
Regex patterns to exclude from detection |
quell.showInlineDecorations |
true |
Show inline decorations for placeholders |
quell.confirmBeforeRedact |
false |
Confirmation dialog before file redaction |
quell.autoSanitizeClipboard |
false |
Auto-replace clipboard secrets with placeholders |
quell.redactTestKeys |
false |
Redact officially-published test credentials (e.g. AKIAIOSFODNN7EXAMPLE) |
📦 Commands
| Command | Keybinding | Description |
|---|---|---|
| Copy Redacted | Ctrl+Shift+C |
Copy with secrets redacted |
| Sanitized Paste | Ctrl+Shift+V |
Paste with secrets stripped |
| Redact Active File | — | Redact all secrets in current file |
| Redact Selection | — | Redact secrets in selected text |
| Restore Secrets | — | Restore placeholders from Keychain |
| Scan Workspace | — | Full workspace secret audit |
| Show Log | — | Open the Quell output panel |
| Clear Vault | — | Delete all stored secrets from the OS Keychain |
🔐 Privacy & Security
- 100% offline — zero network calls, zero telemetry, zero external APIs
- OS Keychain storage — secrets encrypted at rest by your operating system
- Non-destructive — real values always restorable from the Keychain
- Open source — audit the code yourself
🤝 Compatible IDEs
| IDE | Supported | AI Shield |
|---|---|---|
| VS Code | ✅ | .aiignore |
| Cursor | ✅ | .cursorignore |
| Windsurf | ✅ | .windsurfignore |
| Antigravity | ✅ | .antigravityignore |
| Aider | ✅ | .aiderignore |
🎓 Guided Onboarding
New to Quell? On first install, a Getting Started walkthrough opens automatically in the VSCode Welcome tab. It walks you through:
- What Quell does and why you need it
- A live demo with fake credentials so you can see detection in action
- The two key shortcuts (
Ctrl+Shift+CandCtrl+Shift+V) - Setting up the AI Indexing Shield
- How your secrets are stored (OS Keychain, fully offline)
You can reopen it anytime from the Command Palette: Quell: Getting Started.
🚀 Quick Start
- Install Quell from the VS Code Marketplace
- Follow the onboarding walkthrough
- Press
Ctrl+Shift+Cto copy code safely for AI chat - Enable the AI Indexing Shield in the sidebar to block AI file indexing
- Enable Clipboard Auto-Sanitize in the sidebar for maximum protection
- Use
@quell /contextto safely share.envstructure
📄 License
MIT — free and open source.