Learn from my stupid mistake and don't get your API key revoked :)

[xsoc]

Hey all, just wanted to share a cautionary tale. I was trying out the latest release of ShellGPT with the new --model support and got an error 404 message. I tried several variations and I was pretty sure this was bug that must have slipped through into the release. Wanting to be a good citizen and contribute to the project, I dutifully copied and pasted the error output into a bug report without thinking twice (#158). Little did I know, my OpenAI API key was also in that error message and was exposed along with the report. OpenAI revoked my key almost immediately and sent me an email notifying me of the incident.

Hi there,
Your OpenAI API key was determined to have been leaked, which has triggered a key disable and this friendly notification email.
This may be because you committed your API key to an online service such as GitHub, or your key may have been compromised in another way.
Don't worry, you still have API access! Head over to the API Keys page to create a new API key.
If your API key was stored in any locations - for instance, in code you are running - it will need to be updated before you can run this code again.
Finally, we ask that you please review our best practices for API key safety.
Best,
The OpenAI team

Lesson learned - always double check what you're copying and pasting, especially when it comes to sensitive information!

[TheR1D]

OpenAI is being nice 🙂 I wonder how they check for API key leaks. There is a lot of data being shared on GitHub every second.

[xsoc]

It might be as simple as polling the GitHub search
https://github.com/search?o=desc&q=openai+sk-&s=created&type=Issues

[dummy-work-account]

It's a service GitHub offers to their partners, or anyone with a corporate plan
https://docs.github.com/en/code-security/secret-scanning

[TheR1D]

I created #160 to address this issue, which has occurred multiple times for several users of sgpt.