I've been using Claude Code and Cursor daily. At some point I realized I had no idea what those agents could actually see about me — env vars, SSH keys, AWS credentials, clipboard, git history, MCP configs.

  So I built a scanner to answer that question.

  pip install shadowscan && shadowscan run

  It checks 8 categories: environment variables matching
  secret patterns, credential files (~/.aws, ~/.netrc,
  ~/.npmrc), unencrypted SSH keys, .env files, clipboard
  content, MCP config files with embedded API keys, git
  history for accidentally committed secrets, and /tmp for
  sensitive-sounding files.

  Zero network calls. Nothing leaves your machine. Secret
  values are redacted to 4 chars in output.

  Found 3 things on my own machine I didn't know were exposed.