GhostType: Open‑Source Forensic Scanner for Leaked Credentials in AI Chat Histories

Tool Background

GhostType is an open‑source local forensic scanner that parses conversation history files from mainstream AI coding assistants and extracts credential‑type secrets. It integrates TruffleHog’s detector library (over 800 structured detectors) and performs real‑time API verification to determine whether a discovered credential is still valid. Intended use cases include authorized penetration testing, red‑team operations, and enterprise DLP detection.

Core Capabilities

Multi‑AI Tool Coverage : Parses conversation files from Claude Code CLI, Cursor IDE, Codex CLI, ChatGPT Desktop, and Claude Desktop.

Dual Detection Engine : Combines TruffleHog (800+ structured detectors + live API verification) with a built‑in regex engine (30 regex patterns and 10 heuristic rules) to capture both structured and unstructured leaks.

Credential Real‑Time Verification : TruffleHog contacts the issuing service’s API and marks each finding with verified: true or verified: false.

Forensic Output Traceability : Each detection record includes the source file path, the exact chunk location, and surrounding context for precise back‑tracking.

Offline Fast Scan : The --no-verification flag skips API checks, enabling rapid results when verification is unnecessary.

Flexible Output Formats : Supports JSON and CSV exports; each record contains fields such as tool, detector_name, severity, verified, secret_value, and file_path.

macOS Native Support : Uses the macOS Keychain to decrypt ChatGPT Desktop’s AES‑128‑CBC encrypted data files.

System Requirements

Python 3.11+

TruffleHog 3.x (install via brew install trufflehog)

macOS (Linux/Windows path support is planned for a future roadmap)

Repository: https://github.com/xFreed0m/ghosttype