Stop leaking secrets to AI. Quell intercepts your prompts, scans for API keys, tokens, passwords, and connection strings β and replaces them with secure placeholders before the AI ever sees them. Real values are stored safely in your OS Keychain.
100% offline. Zero network calls. Zero telemetry. Your secrets never leave your machine.
Every time you paste code into an AI chat (Copilot, Cursor, Windsurf, Antigravity), secrets get silently transmitted to cloud-hosted models:
| What You Do | What Leaks |
|---|---|
Paste .env asking "why won't my DB connect?" |
Database passwords, API keys |
Copy payment.ts asking "why is Stripe failing?" |
sk_live_XXXXXXX (live Stripe key) |
| AI IDE indexes your workspace | Every .env, config.json, credentials.yml |
Quell is the security layer between you and the AI.
- You write code with real secrets
- Quell scans using 75+ regex patterns + Shannon entropy analysis
- AI receives safe placeholders β
{{SECRET_xxx}}instead of your real keys
# Before (DANGEROUS)
- STRIPE_KEY=sk_live_REPLACE_WITH_YOUR_KEY
- DATABASE_URL=postgres://admin:YOUR_PASSWORD@db.example.com:5432/mydb
# After Quell (SAFE)
+ STRIPE_KEY={{SECRET_52c14bbbc02ef7a1}}
+ DATABASE_URL={{SECRET_f6d2e5e49c86a3b2}}
+ AWS_REGION=us-east-1 β non-secret, left unchangedSelect code β press the shortcut β paste into any AI chat. Secrets are replaced, non-secrets are preserved. The primary workflow.
Paste from any source with secrets automatically stripped. Works with code copied from browsers, terminals, or other files.
Note: Quell rebinds
Ctrl+Shift+Vin the editor, which conflicts with VSCode's built-in "Paste without formatting" in some contexts. If you prefer the default binding, remap Quell's Sanitised Paste via File > Preferences > Keyboard Shortcuts.
Regex-based detection covering:
| Category | Examples |
|---|---|
| Cloud | AWS (AKIA...), Google Cloud, Azure |
| AI/ML | OpenAI, Anthropic, Hugging Face, Gemini |
| Payments | Stripe (sk_live_...), Square, PayPal |
| Version Control | GitHub PATs, GitLab, Bitbucket |
| Communication | Slack, Discord, Telegram, Twilio |
| Databases | PostgreSQL, MongoDB, Redis, MySQL URIs |
| Auth | JWTs, Bearer tokens, Basic Auth, OAuth |
| Crypto | RSA, EC, OpenSSH, PGP private keys |
| Hosting | Vercel, Netlify, Heroku, DigitalOcean, Fly.io |
| BaaS | Supabase (sb_publishable_..., sb_secret_...) |
| + 30 more | SendGrid, Shopify, Datadog, NPM, PyPI... |
Catches high-randomness tokens that don't match any known pattern β configurable threshold and minimum token length.
One-click toggle that generates .cursorignore, .windsurfignore, .antigravityignore, .aiderignore, and .aiignore files β blocking AI IDEs from silently indexing your secret files.
Passive clipboard monitoring that warns you within 1 second when a secret is on your clipboard. Enable Auto-Sanitize from the sidebar dashboard to automatically replace clipboard secrets with safe placeholders β so even a regular Ctrl+V into Cursor or Windsurf chat is safe.
Exposed secrets are highlighted with yellow squiggly underlines in real-time as you type. They appear in VS Code's Problems panel. Click the π‘ lightbulb (or Ctrl+.) for a one-click Quick Fix to redact them instantly.
Secrets stored in your OS Keychain via VS Code's SecretStorage API (Windows Credential Manager / macOS Keychain / libsecret). Never written to disk in plaintext. Restorable anytime.
{{SECRET_xxx}} placeholders get orange dashed borders and π icons in the editor. Hover for restore options.
Talk to @quell in VS Code's chat panel. Every prompt is scanned before it reaches the AI. Use /context to safely share .env file structure.
Get notified when saving a file that still contains raw secrets β with a one-click "Redact Now" option. Dismiss warnings per-file for the rest of your session. They only come back if you add new secrets to that file.
| Setting | Default | Description |
|---|---|---|
quell.enableEntropyScanning |
true |
Enable Shannon Entropy analysis |
quell.entropyThreshold |
4.5 |
Minimum entropy to flag (2.0β7.0) |
quell.minimumTokenLength |
20 |
Minimum token length for entropy scanning |
quell.customPatterns |
[] |
Custom regex patterns ([{name, regex}]) |
quell.whitelistPatterns |
[] |
Regex patterns to exclude from detection |
quell.showInlineDecorations |
true |
Show inline decorations for placeholders |
quell.confirmBeforeRedact |
false |
Confirmation dialog before file redaction |
quell.autoSanitizeClipboard |
false |
Auto-replace clipboard secrets with placeholders |
quell.redactTestKeys |
false |
Redact officially-published test credentials (e.g. AKIAIOSFODNN7EXAMPLE) |
| Command | Keybinding | Description |
|---|---|---|
| Copy Redacted | Ctrl+Shift+C |
Copy with secrets redacted |
| Sanitized Paste | Ctrl+Shift+V |
Paste with secrets stripped |
| Redact Active File | β | Redact all secrets in current file |
| Redact Selection | β | Redact secrets in selected text |
| Restore Secrets | β | Restore placeholders from Keychain |
| Scan Workspace | β | Full workspace secret audit |
| Show Log | β | Open the Quell output panel |
| Clear Vault | β | Delete all stored secrets from the OS Keychain |
- 100% offline β zero network calls, zero telemetry, zero external APIs
- OS Keychain storage β secrets encrypted at rest by your operating system
- Non-destructive β real values always restorable from the Keychain
- Open source β audit the code yourself
| IDE | Supported | AI Shield |
|---|---|---|
| VS Code | β | .aiignore |
| Cursor | β | .cursorignore |
| Windsurf | β | .windsurfignore |
| Antigravity | β | .antigravityignore |
| Aider | β | .aiderignore |
New to Quell? On first install, a Getting Started walkthrough opens automatically in the VSCode Welcome tab. It walks you through:
- What Quell does and why you need it
- A live demo with fake credentials so you can see detection in action
- The two key shortcuts (
Ctrl+Shift+CandCtrl+Shift+V) - Setting up the AI Indexing Shield
- How your secrets are stored (OS Keychain, fully offline)
You can reopen it anytime from the Command Palette: Quell: Getting Started.
- Install Quell from the VS Code Marketplace
- Follow the onboarding walkthrough
- Press
Ctrl+Shift+Cto copy code safely for AI chat - Enable the AI Indexing Shield in the sidebar to block AI file indexing
- Enable Clipboard Auto-Sanitize in the sidebar for maximum protection
- Use
@quell /contextto safely share.envstructure
MIT β free and open source.