Hey devs 👋
I'm Zaim – a backend engineer and student, currently diving deep into LLM security.

A few weeks ago, I was just messing around with GitHub dorks.
You know... the usual:
filename:.env
"sk-" in files pushed last week
Stuff like that.

What I didn’t expect was how many live API keys I’d find.

I'm talking:
OpenAI keys (some still active 💀)
Claude / Anthropic keys
Google Cloud API tokens
and even internal test keys from private orgs that somehow made it into public repos.

Some had been sitting there for weeks. No revokes. No alerts. Just… exposed.

So I built a tool.
Out of curiosity (and lowkey horror), I spun up a crawler and scanner.
It now continuously monitors public GitHub in real time, flagging leaked keys from:
OpenAI
Claude / Anthropic
Gemini / Google
and more...

It turned into a project I call API Radar.
It’s a public dashboard showing:

✅ Real-time leaked API keys
✅ Redacted + raw views
✅ Security leaderboard
✅ Filters by provider
✅ Timeline of exposure

What I’ve seen so far:
📦 9,200+ public repos scanned
🔑 250+ exposed API keys found
⏱️ First leak spotted within 5 minutes of going live
🌍 Keys from projects across Pakistan, US, EU, and more

Some people are literally pushing .env files with live keys and leaving them for days.
Others try to hide them in random config folders, but GitHub’s search… doesn’t miss.

Why it matters
If you’re in security, LLMs, or open source, this matters.
If you're a student, bug bounty hunter, or just curious — this is an underrated goldmine for learning how bad hygiene actually looks in the wild.

It made me rethink how easy it is to mess up API key security — even for big teams.

I’m not trying to sell anything here.
Just want to ask:

Would this help you in CTFs / bug bounties / red teaming?
What else should I track or visualize?
Should I open the scanner as a public API too?

Let me know — curious what the community thinks 🙌