Exposed OpenRouter API Keys? Secret Scanning Alert from GitHub

[cybersader]

I use Obsidian Git and tried pushing to my repo and was alerted of the use of two OpenRouter API Keys prepended with "sk-or-v1" in them in the code. Let me know if these are placeholders or false positives. I usually put the data.json parts in my gitignore since that's usually where custom API keys go. However, it seems like these are being baked into the source code itself.

[brianpetro]

I would exclude the .smart-env/ folder in your gitignore to ensure data protection and also to prevent any sync issues. Since the plugin implements the Smart Environment concept, settings that aren't specific to Obsidian (including API keys), may be stored in .smart-env/smart_env.json.

If it seems like it's in the source code, the Open Router keys could just be some keys I included so new users could easily try the Smart Chat (I too get a lot of those warnings about my keys being exposed seemingly anytime someone forks the project).

🌴

[huyz]

I just checked my .gitignore and .smart-env has already been added.

[brianpetro]

As long as your .smart-env folder isn't being committed to GitHub then the only keys that might trigger this warning are compiled into the plugin code 🌴

[cybersader]

If the exposed key is merely one that's a sort of "demo" key, then that's not as bad. I'm sure you're well aware of the risks of exposing API keys "to the kingdom." If sensitive data can be exposed this way, then it is problematic. I guess there would need to be full authentication to get around this sort of thing. I haven't developed a plugin myself yet, so I'm not aware of how hard it is to do such a thing. I would just make sure that any free testing keys are still limited in the scope of access they have. Then again, may not be a huge risk. Thanks for the clarification.