Prompt Leak Guard

Prompt Leak Guard is a local browser utility for people who use AI tools while debugging, writing support replies, reviewing logs, or copying configuration snippets. The problem is simple: it is very easy to paste more context than intended into a chat box. A prompt can accidentally include an API key, bearer token, auth header, signed URL, database connection string, private key block, webhook, email address, phone number, or other sensitive value. Prompt Leak Guard gives users a quick local check before that paste happens.

The product is intentionally narrow. It does not connect to a company account, upload prompt text, call a remote AI model, or store scanned content on a server. The scanner runs in the browser and uses conservative pattern checks to flag common high-risk strings. When it finds something, it shows the risk category and creates a sanitized copy so the user can keep the useful debugging context while removing the risky value. The free web demo lets anyone test the workflow without creating an account. The installable build is packaged as a browser extension for people who want the scanner available as part of their normal work routine.

The current release focuses on practical AI prompt hygiene rather than broad enterprise DLP claims. It includes checks for common AI provider keys, cloud and package registry tokens, private keys, validated JWT-like tokens, credential-bearing database and broker URLs, signed URL patterns, authorization headers, cookies, payment-style cards, emails, phone numbers, and dashed US SSNs. It also includes false-positive guards for common placeholders, documentation examples, masked values, UUID-like trace IDs, invalid token-shaped strings, and known test-card style data.

A typical use case is a developer copying an error log into ChatGPT or Claude and running the text through Prompt Leak Guard first. Another is a founder or operator asking an AI assistant to help summarize an integration issue without exposing a customer email address, support token, or webhook. The tool is also useful for people creating public bug reports or support tickets from local config snippets.

The limitation is important: this is pattern-based safety tooling, not a replacement for secret rotation, access control, vendor security review, or formal DLP. It can miss unusual formats and it can flag suspicious text that turns out to be harmless. The goal is to catch common mistakes quickly, keep the workflow private, and make safe prompting easier before sensitive text leaves the browser.

The near term roadmap is deliberately practical: keep expanding coverage only when patterns can be tested conservatively, keep reducing false positives, and keep the product transparent about what it can and cannot prove. The goal is to ship a small guardrail that earns trust, not to market it as a magic security layer. User feedback is most valuable around missed provider formats, confusing warnings, and cases where the sanitizer should preserve more useful context.