Every developer who has ever pasted an API key into Claude Code knows the feeling: that little warning flashes up saying your key may have leaked, and by then it's already sitting in your local *.jsonl transcript forever — rotated or not. It's a three-way hit: the key goes to Anthropic's API as part of your prompt, gets written to disk in plain text, and the model correctly flags it after the damage is done. One careless paste, three exposure points. A developer going by albemiglio got tired of that cycle and built Keyward — a small, open-source Claude Code plugin that makes the careful part automatic.

How Keyward Works

Keyward hooks into Claude Code's UserPromptSubmit lifecycle event, which fires before your message reaches the model. When it detects what looks like a secret — using regex patterns for roughly 20 providers plus explicit /key markers and optional gitleaks integration — it takes a three-step action: saves the raw value to ~/.claude/secrets/.txt with chmod 600 file permissions, blocks the original leaking prompt from ever reaching the model, and then re-submits a sanitized version where the key is replaced by <>. From the user's perspective, one Enter press triggers a flash of the blocked message followed immediately by its clean replacement.

The Tricky Part: You Can't Rewrite a Prompt

The most interesting technical detail albemiglio shared is that Claude Code's UserPromptSubmit hook can only add context or block a prompt outright — it cannot rewrite one silently. That's an intentional design decision to prevent plugins from quietly modifying user intent, like turning "delete file X" into "delete file Y." So Keyward can't just swap the key transparently. Instead, its workaround is to block the leaking prompt and spawn a detached background process that uses OS-level automation to paste the sanitized text and simulate pressing Enter — all without any visible scripting window. The plugin handles this differently per platform: osascript on macOS (requires Accessibility permission), xdotool for Linux X11, wtype for Wayland compositors like Sway or Hyprland, and PowerShell SendKeys on Windows. For headless environments like SSH sessions or Docker containers where no display server exists, setting KEYWARD_DISABLE_PASTE=1 still saves and sanitizes secrets — you just paste manually.

Using Saved Keys Without Re-Leaking Them

Keyward bundles a skill that teaches Claude Code how to consume the saved secret without ever printing it back into the context. A safe pattern looks like: export GITHUB_TOKEN=$(cat ~/.claude/secrets/github_pat_classic.txt) && gh api /user. The key value flows from disk directly into a process's environment variable, never touching stdout — which means no accidental re-exposure through echo or print statements.

Key Takeaways

  • Secrets are stored as plaintext chmod 600 files — same trust model as ~/.aws/credentials or .env files, not encrypted at rest
  • The plugin is MIT-licensed, requires zero network calls, and ships with no telemetry
  • ~35 tests run across CI on macOS, Linux, and Windows
  • Installation is two commands: /plugin marketplace add albemiglio/keyward then /plugin install keyward@keyward

The Bottom Line

Keyward isn't trying to replace your secret manager — the author is upfront that it stores plaintext and operates in a trust model you should already be familiar with. What it does is solve a specific, annoying problem: the moment of panic when you realize you've just pasted a live API key into an AI chat session. For vibecoders moving fast, "be careful" isn't a strategy — it's a prayer. This is a pragmatic safety net that deserves a look.