Security Alert: Exposed Hugging Face API Key in Repository

[anku713]

Hi @ProjectZeroDays,

I came across a potential security issue in your repository Project-Red-Sword. It looks like a Hugging Face API key (and other secrets) may have been accidentally committed to version control in the codespace_user_secrets.json file.

📄 Details:
File: codespace_user_secrets.json
Exposed Key:

"Huggingface API": "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"
Other Sensitive Keys:

GitHub PAT (Classic): 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

Possibly Wakatime

First Found: June 11, 2025

Status: ✅ Key still valid (last verified 4 days ago)

✅ Recommended Actions:
Immediately revoke the exposed API key(s):

For Hugging Face: https://huggingface.co/settings/tokens

For GitHub: https://github.com/settings/tokens

Regenerate new tokens, store them securely, and avoid committing them to your codebase.

Use .env files and GitHub secrets when working with credentials.

Purge secrets from Git history:

Use git filter-repo or BFG Repo-Cleaner

Example using BFG:

bfg --delete-files codespace_user_secrets.json
git push --force
Check for any usage abuse on those keys in your Hugging Face/GitHub dashboards.

Let me know if you’d like help cleaning this up or adding .gitignore protections to avoid this in the future. These things happen—glad it was caught early!

Best,
Ankush .