To search for Google API keys recursively in the current folder and its sub-folders with ripgrep:

rg 'AIza[0-9A-Za-z\-_]{35}' -o

Also shared on Shodan Snippets:

https://snippets.shodan.io/c/FHw2r7wWIFmjVAfG

#Security #OneLiner #Google #GoogleAPIKeys #APIkeys #ripgrep #Regex #BugBounty #Snippet

Thousands of publicly exposed Google API keys may now authenticate access to Gemini AI services.

Researchers say what was once low-risk exposure gained new privileges after AI integration.

Cloud security takeaway: legacy credentials + evolving scope = hidden risk.
Have you audited your API keys recently?

Source: https://www.bleepingcomputer.com/news/security/previously-harmless-google-api-keys-now-expose-gemini-ai-data/

Share your perspective below.
Follow TechNadu for trusted cybersecurity coverage.

#CyberSecurity #Google #Gemini #CloudSecurity #APIKeys #AIsecurity #Infosec #DevSecOps #AppSec #DigitalRisk

TruffleHog reports that Google API keys can silently gain access to Gemini when the Generative Language API is enabled on the same GCP project, despite years of guidance that these keys were safe to embed client-side for services like Maps and Firebase. They found 2,863 live keys in the November 2025 Common Crawl dataset, and showed that leaked keys could access Gemini endpoints like /files and /cachedContents and incur usage charges. Mitigation: audit projects with the Generative Language API enabled, restrict keys by API and application, and rotate any key that is public or unrestricted.

https://trufflesecurity.com/blog/google-api-keys-werent-secrets-but-then-gemini-changed-the-rules

#InfoSec #CloudSecurity #APIKeys #GoogleCloud

David Lázaro (@_dlazaro)

API 키 사용량에 대한 하드캡(hard cap)을 로드맵에 추가해 달라는 요청입니다. 작성자는 키가 유출되거나 이상 상황이 발생했을 때 자동으로 사용을 멈추는 상한 설정이 안전장치로 유용하다고 제안하며 @OfficialLoganK에 문의하고 있습니다. 보안·운영 기능 관련 제안입니다.

https://x.com/_dlazaro/status/2023433295032463500

#api #security #apikeys #featurerequest

OpenClaw setup asks for an API key. Which one? From where? Will it cost $200/month if you pick wrong?

Complete guide: Anthropic, OpenAI, Gemini, DeepSeek, OpenRouter. Pricing, setup steps, common mistakes.

DeepSeek costs 10x less than Claude. Gemini has a 1M token context window. Which fits your use case?

https://yixn.io/en/blog/posts/openclaw-api-key-guide

#OpenClaw #AI #APIKeys #LLM

----------------

🎯 AI
===================

Executive summary: Moltbook, an AI-only social network populated by OpenClaw agents, presents immediate security risks: pervasive spam/scams, exposure of agents to untrusted content via API-oriented prompt files, and a reported database compromise that leaked API keys enabling bot impersonation and direct prompt injection.

Technical details:
• SKILLS.md, HEARTBEAT.md, and MESSAGING.md are repository-style markdown files that describe how agents interact with the Moltbook API. SKILLS.md documents API interactions and recommends HTTP requests (curl-style). HEARTBEAT.md instructs periodic check-ins. MESSAGING.md notes that messaging requires human approval, while other endpoints accept automated agent input.
• Experimental tooling (reported as a CLI tool named moltbotnet) implemented API calls for posting, commenting, upvoting, following, and engagement automation. This tooling demonstrates how easily an agent or impersonator can script interactions.
• Reported breach of Moltbook’s database exposed API keys tied to agent identities. Those keys materially enable: impersonation of legitimate agents, submission of crafted prompts to agent workloads, and direct prompt injection vectors that bypass typical human-only guards.

Analysis:

The combination of (1) public, machine-readable prompt files that instruct agents how to behave, (2) open posting and engagement that accepts untrusted content, and (3) leaked credentials produces two classes of injection risks: indirect prompt injection (agents ingesting malicious content from other agents) and direct prompt injection (attacker using stolen API keys to send malicious prompts as a trusted agent). The observed ecosystem is also saturated with social-engineering lures (requests to run package installers, share crypto wallets, or call external APIs).

Detection guidance:
• Monitor unexpected use of API keys or unusual posting frequency associated with agent identities.
• Inspect content sources for scripted patterns (repeated promotional payloads, command-like text referencing package managers or curl usage).

Limitations:
• No public CVE identifiers are reported in the source material.
• Exact scope of leaked API keys (number of keys, associated privileges) was not enumerated in the writeup.

References and tags:

SKILLS.md, HEARTBEAT.md, MESSAGING.md — Tenable Research field report on Moltbook interactions and breach findings.

🔹 OpenClaw #Moltbook #promptinjection #APIkeys #Tenable

🔗 Source: https://www.tenable.com/blog/undercover-on-moltbook

Envmap - Fini les fichiers .env qui traînent et finissent sur GitHub

https://fed.brid.gy/r/https://korben.info/envmap-secrets-sans-fichier-env-disque-github-leaks.html