TreeFail
When vibe-coding meets production secrets: a security analysis of 378 TreeHacks 2026 hackathon projects.
February 2026
Overview
378
Projects Analyzed
295
Repos Scanned
50
Repos with Leaks
178
Credentials Found
55 projects had no GitHub link · 28 repos were private or failed to clone
17%
of scanned repos contained at least one leaked credential
Findings by Secret Type
Generic High-Entropy Secret 57
OpenAI API Key 38
Google API Key 25
Postgres URI 20
Private Key 13
Supabase Key 13
Anthropic API Key 3
MongoDB URI 3
Firebase URL 2
Slack Token 2
AWS Access Key 1
Twilio Account SID 1
| Secret Type | Count | Repos |
|---|---|---|
| Generic High-Entropy Secret | 57 | 23 |
| OpenAI API Key | 38 | 2 |
| Google API Key | 25 | 11 |
| Postgres URI | 20 | 12 |
| Private Key | 13 | 7 |
| Supabase Key | 13 | 4 |
| Anthropic API Key | 3 | 3 |
| MongoDB URI | 3 | 1 |
| Firebase URL | 2 | 1 |
| Slack Token | 2 | 1 |
| AWS Access Key | 1 | 1 |
| Twilio Account SID | 1 | 1 |
| Total | 178 | 50 |
Top Repos by Leak Count
All Findings
178 credentials found across 50 repositories. All secrets are redacted.
| Project ↕ | Repo ↕ | File ↕ | Type ↕ | Redacted |
|---|---|---|---|---|
| Phone AI | kanakapalli/phone_ai | docs/passwords.sample.yaml:49 | Google API Key | AIza...XXXX |
| Phone AI | kanakapalli/phone_ai | docs/passwords.sample.yaml:22 | Generic High-Entropy Secret | auth...ere' |
| Phone AI | kanakapalli/phone_ai | docs/passwords.sample.yaml:49 | Generic High-Entropy Secret | api_...XXX' |
| Phone AI | kanakapalli/phone_ai | docs/CALL_FLOW_ARCHITECTURE.md:1095 | Postgres URI | post...e_ai |
| Phone AI | kanakapalli/phone_ai | phone_ai_server/docker-compose.yaml:10 | Generic High-Entropy Secret | PASS...35L" |
| Phone AI | kanakapalli/phone_ai | phone_ai_server/docker-compose.yaml:30 | Generic High-Entropy Secret | PASS...LTv" |
| ADEX - Adaptive Data Extraction System | kanakapalli/adex | adex_server/docker-compose.yaml:10 | Generic High-Entropy Secret | PASS...uhY" |
| ADEX - Adaptive Data Extraction System | kanakapalli/adex | adex_server/docker-compose.yaml:30 | Generic High-Entropy Secret | PASS...mTQ" |
| ADEX - Adaptive Data Extraction System | kanakapalli/adex | adex_server/lib/src/videoExtractions/weedit-india-ddab251d446c.json:5 | Private Key | ----...---- |
| ADEX - Adaptive Data Extraction System | kanakapalli/adex | adex_server/lib/src/videoExtractions/videoExration.dart:749 | Private Key | ----...---- |
| AiOn | shikhar0777/anion-rdy | docker-compose.yml:39 | Postgres URI | post...ulse |
| AiOn | shikhar0777/anion-rdy | docker-compose.yml:54 | Postgres URI | post...ulse |
| AiOn | shikhar0777/anion-rdy | apps/api/config.py:23 | Postgres URI | post...ulse |
| alt+cart | Supernova-45/Alt-Cart | web/public/webpages/walmart_backpack.html:12 | Google API Key | AIza...BEMg |
| alt+cart | Supernova-45/Alt-Cart | web/public/webpages/walmart_backpack.html:12 | Google API Key | AIza...RTEo |
| alt+cart | Supernova-45/Alt-Cart | web/public/webpages/walmart_backpack.html:12 | Google API Key | AIza...o1HY |
| alt+cart | Supernova-45/Alt-Cart | web/public/webpages/walmart_backpack.html:12 | Google API Key | AIza...btp0 |
| alt+cart | Supernova-45/Alt-Cart | web/public/webpages/walmart_backpack.html:12 | Google API Key | AIza...KldM |
| Arena | TomBinford/treehacks | backend/test/fixtures/mock-cert.pem:1 | Private Key | ----...---- |
| RELAY – Voice, Search, Stream: Save patients from rigs to ER | vinamra57/relay | docs/gcp-setup.md:29 | Postgres URI | post...elay |
| RELAY – Voice, Search, Stream: Save patients from rigs to ER | vinamra57/relay | docs/gcp-setup.md:36 | Postgres URI | post...sql/ |
| AutoLab Labs | nlee1126/TreeHacks_26 | raman-agent/backend/llm_parser.py:32 | OpenAI API Key | sk-x...xxxx |
| AutoLab Labs | nlee1126/TreeHacks_26 | raman-agent/backend/llm_parser.py:37 | Anthropic API Key | sk-a...xxxx |
| brain2bach | MarkOfUs/brain2bach | runpod_pipeline.py:13 | Generic High-Entropy Secret | API_...owk" |
| Bubble | quinns-children/bubble | quinn/venv/lib/python3.12/site-packages/tornado/test/test.key:1 | Private Key | ----...---- |
| Bubble | quinns-children/bubble | quinn/venv/lib/python3.12/site-packages/tornado/test/auth_test.py:337 | Generic High-Entropy Secret | api_...key" |
| Bubble | quinns-children/bubble | quinn/venv/lib/python3.12/site-packages/aioquic/quic/configuration.py:133 | Private Key | ----...---- |
| Bye! Buy! | jpsingaraju/bye-buy | IMPLEMENTATION.md:240 | Google API Key | AIza...FiEg |
| Carebnb | SonaLily/CAREBnB_ | run-migrations.mjs:62 | Postgres URI | post...gres |
| Carebnb | SonaLily/CAREBnB_ | audio-model/src/models/component4/patient_eval_template.pdf:Zone.Identifier:4 | AWS Access Key | AKIA...UJ26 |
| Cena | nvemuri4649/treehacks-26 | client/rater_agent.py:25 | Generic High-Entropy Secret | api_...key" |
| Curious Catalyst | laasya-konidala/TreeHacks-2026 | learning-companion-extension/background.js:8 | Generic High-Entropy Secret | API_...ERE' |
| .dot: bringing humanity to in-home care | o-bm/dot | voice_agent/voice_agent/.env:5 | Twilio Account SID | AC2e...d860 |
| EdgeLedger | UnknownGod2011/LMAedge | test-gemini-api.js:4 | Google API Key | AIza...MB_k |
| EdgeLedger | UnknownGod2011/LMAedge | test-gemini-api.js:4 | Generic High-Entropy Secret | API_...B_k' |
| EdgeLedger | UnknownGod2011/LMAedge | list-models.js:3 | Google API Key | AIza...MB_k |
| EdgeLedger | UnknownGod2011/LMAedge | list-models.js:3 | Generic High-Entropy Secret | API_...B_k' |
| EdgeLedger | UnknownGod2011/LMAedge | check-api.js:2 | Google API Key | AIza...MB_k |
| EdgeLedger | UnknownGod2011/LMAedge | check-api.js:2 | Generic High-Entropy Secret | API_...B_k' |
| GenUIne | bobdethird/genUIne | lib/tools/hackernews.ts:21 | Firebase URL | http....com |
| GenUIne | bobdethird/genUIne | lib/tools/hackernews.ts:34 | Firebase URL | http....com |
| Gitty.ai | ethanjoby/gitty | src/firebase.ts:7 | Google API Key | AIza...ca-E |
| Gitty.ai | ethanjoby/gitty | src/firebase.ts:7 | Generic High-Entropy Secret | apiK...a-E' |
| Cortex | AdityaYC/Cortex-Treehacks | docs/DISCORD_SLACK_SETUP.md:73 | Slack Token | xoxb...oken |
| Cortex | AdityaYC/Cortex-Treehacks | docs/WINDOWS_ONLY_SETUP.md:80 | Slack Token | xoxb...oken |
| Sprout | lethan3/cactushacks | plant_vision.py:31 | Generic High-Entropy Secret | API_...bvI" |
| HackOverflow: Stack Overflow for AI Agents | vrinda-inani/treehacks26 | api/seed.py:16 | Generic High-Entropy Secret | API_...w==" |
| HackOverflow: Stack Overflow for AI Agents | vrinda-inani/treehacks26 | api/seed2.py:17 | Generic High-Entropy Secret | API_...w==" |
| FrontLine | sanjanas18/frontline | operator-dashboard/public/zoom-sdk/zoom-sdk-web-5.1.2/Local/localhost.key:1 | Private Key | ----...---- |
| FrontLine | sanjanas18/frontline | operator-dashboard/public/zoom-sdk/zoom-sdk-web-5.1.2/CDN/localhost.key:1 | Private Key | ----...---- |
| Hexi | IvanRatushnyy/TreeHacks-2026 | saging-api/scripts/setup_aws.py:41 | Anthropic API Key | sk-a...sole |
| ICEalert | coderkai03/icealert | src/webrtc/frontend/landing.html:101 | Generic High-Entropy Secret | API_...Y__' |
| ICEalert | coderkai03/icealert | src/webrtc/frontend/video.html:96 | Generic High-Entropy Secret | API_...Y__' |
| ICEalert | coderkai03/icealert-mobile | .env:3 | Supabase Key | eyJh...cHEM |
| Kardashev | 3LucasZ/kardashev | config.py:27 | Anthropic API Key | sk-a...XAAA |
| Kardashev | 3LucasZ/kardashev | config.py:27 | Generic High-Entropy Secret | api_...AAA" |
| Lets-Cook | UnknownGod2011/LetsCook | README.md:68 | Generic High-Entropy Secret | API_...ere" |
| Lets-Cook | UnknownGod2011/LetsCook | README.md:69 | Generic High-Entropy Secret | API_...ere" |
| Lets-Cook | UnknownGod2011/LetsCook | README.md:70 | Generic High-Entropy Secret | API_...ere" |
| Lets-Cook | UnknownGod2011/LetsCook | api_keys_config.txt:5 | Google API Key | AIza...pttg |
| Lets-Cook | UnknownGod2011/LetsCook | lib/core/services/revenuecat_service.dart:6 | Generic High-Entropy Secret | ApiK...RTn' |
| Lets-Cook | UnknownGod2011/LetsCook | lib/core/services/gemini_service.dart:12 | Google API Key | AIza...pttg |
| Lets-Cook | UnknownGod2011/LetsCook | lib/core/config/environment.dart:13 | Generic High-Entropy Secret | ApiK...ere' |
| Lets-Cook | UnknownGod2011/LetsCook | lib/core/config/environment.dart:17 | Generic High-Entropy Secret | ApiK...ere' |
| Lets-Cook | UnknownGod2011/LetsCook | lib/core/config/environment.dart:21 | Generic High-Entropy Secret | ApiK...ere' |
| Lets-Cook | UnknownGod2011/LetsCook | letscook_server/letscook_server_server/docker-compose.yaml:10 | Generic High-Entropy Secret | PASS...bQb" |
| Lets-Cook | UnknownGod2011/LetsCook | letscook_server/letscook_server_server/docker-compose.yaml:30 | Generic High-Entropy Secret | PASS...XMo" |
| Longshot | andrewcai8/agentswarm | generated-repos/decagon-assistant/README.md:33 | Postgres URI | post...tant |
| MeBoard | emngarcia/MeBoard | MeBoard/MeBoard.keyboard/KeyboardViewController.swift:10 | Supabase Key | eyJh...nQoY |
| MeBoard | emngarcia/MeBoard | MeBoard/MeBoard/dashboard.swift:39 | Supabase Key | eyJh...nQoY |
| MeBoard | emngarcia/MeBoard | MeBoard/MeBoard/ChatAPI.swift:82 | Supabase Key | eyJh...nQoY |
| Memoria | jason-zhxn/memoria | web/test-liveavatar.js:6 | Generic High-Entropy Secret | API_...369' |
| Memoria | jason-zhxn/memoria | web/test-heygen.js:6 | Generic High-Entropy Secret | API_...cow' |
| Mira Mira on Da Wall | 23jmo/mirrorless | docs/plans/2026-02-14-data-scraping-pipeline.md:1659 | Postgres URI | post...uire |
| Mira Mira on Da Wall | 23jmo/mirrorless | jenny/generate-scripted.sh:11 | Generic High-Entropy Secret | API_...7ce" |
| Mira Mira on Da Wall | 23jmo/mirrorless | jenny/src/config.js:4 | Google API Key | AIza...rWgc |
| Mira Mira on Da Wall | 23jmo/mirrorless | jenny/src/config.js:4 | Generic High-Entropy Secret | API_...Wgc' |
| Mira Mira on Da Wall | 23jmo/mirrorless | jenny/src/config.js:8 | Generic High-Entropy Secret | API_...7ce' |
| Mira | nathanjzhao/treehacks2026 | explorer/gemini_client.py:23 | Google API Key | AIza...6lv4 |
| Mira | nathanjzhao/treehacks2026 | explorer/gemini_client.py:18 | Generic High-Entropy Secret | API_...523" |
| Mira | nathanjzhao/treehacks2026 | explorer/gemini_client.py:23 | Generic High-Entropy Secret | API_...lv4" |
| Mira | nathanjzhao/treehacks2026 | explorer/openrouter_client.py:13 | Generic High-Entropy Secret | API_...523" |
| Omni AI: The Fully Autonomous Multi-Agent Digital Assistant | adhvaidhsunny/omni-ai | open-source-tools/OpenManus/README.md:28 | Supabase Key | eyJh...t5T4 |
| Omni AI: The Fully Autonomous Multi-Agent Digital Assistant | adhvaidhsunny/omni-ai | open-source-tools/OpenManus/README.md:28 | Supabase Key | eyJh...t5T4 |
| Omni AI: The Fully Autonomous Multi-Agent Digital Assistant | adhvaidhsunny/omni-ai | open-source-tools/OpenManus/README_ko.md:28 | Supabase Key | eyJh...t5T4 |
| Omni AI: The Fully Autonomous Multi-Agent Digital Assistant | adhvaidhsunny/omni-ai | open-source-tools/OpenManus/README_ko.md:28 | Supabase Key | eyJh...t5T4 |
| Omni AI: The Fully Autonomous Multi-Agent Digital Assistant | adhvaidhsunny/omni-ai | open-source-tools/OpenManus/README_ja.md:28 | Supabase Key | eyJh...t5T4 |
| Omni AI: The Fully Autonomous Multi-Agent Digital Assistant | adhvaidhsunny/omni-ai | open-source-tools/OpenManus/README_ja.md:28 | Supabase Key | eyJh...t5T4 |
| Omni AI: The Fully Autonomous Multi-Agent Digital Assistant | adhvaidhsunny/omni-ai | open-source-tools/OpenManus/README_zh.md:29 | Supabase Key | eyJh...t5T4 |
| Omni AI: The Fully Autonomous Multi-Agent Digital Assistant | adhvaidhsunny/omni-ai | open-source-tools/OpenManus/README_zh.md:29 | Supabase Key | eyJh...t5T4 |
| Other Memories | AlessandroMason/treehack_front | PRISMA_SETUP.md:11 | Postgres URI | post...res` |
| Other Memories | AlessandroMason/treehacks_back | migrating_data/new_path/ring-database-firebase-adminsdk-essjy-0cfe7d82d0.json:5 | Private Key | ----...---- |
| Pilot | arihanv/pilot | ios/Sotos/Sotos/LiveModeManager.swift:59 | Generic High-Entropy Secret | APIK...9UF" |
| Pilot | arihanv/pilot | ios/Sotos/Sotos/Config.swift:6 | Supabase Key | eyJh...3LFI |
| Pilot | arihanv/pilot | ios/Sotos/Sotos/Config.swift:3 | Generic High-Entropy Secret | APIK...a03" |
| Plantasia | suchithh/plantasia | keys.md:4 | Google API Key | AIza...6qqU |
| Shepherd | tonywangs/shepherd | README.md:225 | Generic High-Entropy Secret | APIK...KEY" |
| Shepherd | tonywangs/shepherd | README.md:226 | Generic High-Entropy Secret | APIK...KEY" |
| RecoveryLab: Personalized AI-Powered Physical Therapy | jamesgu888/RecoveryLab | lib/firebase.ts:7 | Google API Key | AIza...ha4M |
| RecoveryLab: Personalized AI-Powered Physical Therapy | jamesgu888/RecoveryLab | lib/firebase.ts:7 | Generic High-Entropy Secret | apiK...a4M" |
| Reflex | HikaruSadashi/reflex-backend | README.md:52 | Postgres URI | post...name |
| sched | not-aryan/sched | Dockerfile:21 | Postgres URI | post...ummy |
| sched | not-aryan/sched | Dockerfile:22 | Postgres URI | post...ummy |
| ShadowGuard | shamanthak-hegde/ShadowGuard | README.md:119 | Postgres URI | post...ard` |
| ShadowGuard | shamanthak-hegde/ShadowGuard | docker-compose.yml:27 | Postgres URI | post...uard |
| ShadowGuard | shamanthak-hegde/ShadowGuard | backend/database.py:13 | Postgres URI | post...uard |
| ShadowGuard | shamanthak-hegde/ShadowGuard | backend/database.py:18 | Postgres URI | post...name |
| ShotSpot | aedutta/shot-spot-treehacks-26 | test.py:38 | MongoDB URI | mong...net/ |
| ShotSpot | aedutta/shot-spot-treehacks-26 | db.py:32 | MongoDB URI | mong...net/ |
| ShotSpot | aedutta/shot-spot-treehacks-26 | docs/DEPLOY.md:22 | MongoDB URI | mong...net/ |
| SleepSense | raj-chinagundi/treehacks-26 | hardware/esp32_serial_blocking/esp32_serial_blocking.ino:17 | Private Key | ----...---- |
| TigerPop | angelztang/treehacks26 | backend/create_tables.py:5 | Postgres URI | post...uire |
| TORQ | bryandong24/treehacks2026 | openpilot/panda/certs/debug:1 | Private Key | ----...---- |
| TORQ | bryandong24/treehacks2026 | openpilot/system/hardware/tici/id_rsa:1 | Private Key | ----...---- |
| TORQ | bryandong24/treehacks2026 | sunnypilot/panda/certs/debug:1 | Private Key | ----...---- |
| TORQ | bryandong24/treehacks2026 | sunnypilot/system/hardware/tici/id_rsa:1 | Private Key | ----...---- |
| VEDA - AI Coach | kanakapalli/veda | README.md:71 | Generic High-Entropy Secret | ApiK...KEY' |
| VEDA - AI Coach | kanakapalli/veda | README.md:75 | Generic High-Entropy Secret | Pass...ORD' |
| VEDA - AI Coach | kanakapalli/veda | veda_flutter/lib/firebase_options.dart:44 | Google API Key | AIza...iqRc |
| VEDA - AI Coach | kanakapalli/veda | veda_flutter/lib/firebase_options.dart:54 | Google API Key | AIza...NVQE |
| VEDA - AI Coach | kanakapalli/veda | veda_flutter/lib/firebase_options.dart:62 | Google API Key | AIza...XpNY |
| VEDA - AI Coach | kanakapalli/veda | veda_flutter/lib/firebase_options.dart:71 | Google API Key | AIza...XpNY |
| VEDA - AI Coach | kanakapalli/veda | veda_flutter/lib/firebase_options.dart:80 | Google API Key | AIza...iqRc |
| VEDA - AI Coach | kanakapalli/veda | veda_flutter/lib/firebase_options.dart:44 | Generic High-Entropy Secret | apiK...qRc' |
| VEDA - AI Coach | kanakapalli/veda | veda_flutter/lib/firebase_options.dart:54 | Generic High-Entropy Secret | apiK...VQE' |
| VEDA - AI Coach | kanakapalli/veda | veda_flutter/lib/firebase_options.dart:62 | Generic High-Entropy Secret | apiK...pNY' |
| VEDA - AI Coach | kanakapalli/veda | veda_flutter/lib/firebase_options.dart:71 | Generic High-Entropy Secret | apiK...pNY' |
| VEDA - AI Coach | kanakapalli/veda | veda_flutter/lib/firebase_options.dart:80 | Generic High-Entropy Secret | apiK...qRc' |
| VEDA - AI Coach | kanakapalli/veda | veda_flutter/lib/services/revenue_cat_service.dart:26 | Generic High-Entropy Secret | apiK...ryA' |
| VEDA - AI Coach | kanakapalli/veda | veda_flutter/ios/Runner/GoogleService-Info.plist:6 | Google API Key | AIza...XpNY |
| VEDA - AI Coach | kanakapalli/veda | veda_flutter/android/app/google-services.json:18 | Google API Key | AIza...NVQE |
| VEDA - AI Coach | kanakapalli/veda | veda_flutter/macos/Runner/GoogleService-Info.plist:6 | Google API Key | AIza...XpNY |
| VEDA - AI Coach | kanakapalli/veda | veda_server/docker-compose.yaml:10 | Generic High-Entropy Secret | PASS...WnX" |
| VEDA - AI Coach | kanakapalli/veda | veda_server/docker-compose.yaml:30 | Generic High-Entropy Secret | PASS...zWW" |
| Veridian | VeridianTH/Veridian | scripts/apply_migrations.sh:4 | Postgres URI | post...res) |
| Veridian | VeridianTH/Veridian | scripts/apply_migrations.sh:13 | Postgres URI | post...res) |
| VibeRight | dennisliang01/VibeCheck | examples/validation_report_demo.json:155 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | examples/validation_report_demo.json:203 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | examples/validation_report_demo.json:379 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | examples/validation_report_demo.json:459 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | examples/validation_report_demo.json:1035 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | examples/validation_report_demo.json:1067 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | examples/validation_report_demo.json:2324 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | examples/validation_report_demo.json:2612 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | examples/validation_report_demo.json:2756 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | examples/validation_report_demo.json:3092 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | examples/validation_report_demo.json:3172 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | examples/validation_report_demo.json:3364 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | examples/test_sample/validation_report_demo.json:155 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | examples/test_sample/validation_report_demo.json:203 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | examples/test_sample/validation_report_demo.json:379 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | examples/test_sample/validation_report_demo.json:459 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | examples/test_sample/validation_report_demo.json:1035 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | examples/test_sample/validation_report_demo.json:1067 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | examples/test_sample/validation_report_demo.json:2324 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | examples/test_sample/validation_report_demo.json:2612 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | examples/test_sample/validation_report_demo.json:2756 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | examples/test_sample/validation_report_demo.json:3092 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | examples/test_sample/validation_report_demo.json:3172 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | examples/test_sample/validation_report_demo.json:3364 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | examples/test_sample/test_sample/src/user_service.py:6 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | examples/test_sample/test_sample/src/user_service.py:6 | Generic High-Entropy Secret | API_...def" |
| VibeRight | dennisliang01/VibeCheck | Backend/weather-report.json:47 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | Backend/weather-report.json:520 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | Backend/weather-report.json:785 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | Backend/weather-report.json:878 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | Backend/weather-report.json:1298 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | Backend/weather-report.json:1302 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | Backend/weather-report.json:2566 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | Backend/weather-report.json:3132 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | Backend/weather-report.json:3499 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | Backend/weather-report.json:3503 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | Backend/weather-report.json:3670 | OpenAI API Key | sk-1...cdef |
| VibeRight | dennisliang01/VibeCheck | Backend/weather-report.json:3791 | OpenAI API Key | sk-1...cdef |
| Voice of Reason | lc0001coll/ytFactChecker_TH2026 | main.py:11 | Generic High-Entropy Secret | api_...KEY" |
| Voice of Reason | lc0001coll/ytFactChecker_TH2026 | auditor.py:70 | Generic High-Entropy Secret | API_...mla" |
| EmberWatch | ojas-sanghi/treehacks-2026-wildfires | README.md:170 | Generic High-Entropy Secret | API_...ere" |
| EmberWatch | ojas-sanghi/treehacks-2026-wildfires | docs/DATA_SETUP.md:66 | Generic High-Entropy Secret | API_...ere" |
No findings match your search.
Methodology
1. Project Discovery
Scraped all 378 project submissions from the TreeHacks 2026 Devpost page. Extracted GitHub repository links from each project listing.
2. Repository Cloning
Cloned all public GitHub repositories. 55 projects had no GitHub link, 25 were private, and 3 failed to clone (timeout).
3. Secret Scanning
Ran regex-based secret detection across all cloned repos, scanning for API keys, database URIs, private keys, tokens, and other credential patterns.
4. Redaction & Reporting
All detected secrets were immediately redacted. Only the first 4 and last 4 characters are shown. No credentials were tested, stored, or shared in plain text.
Responsible Disclosure
This research was conducted for educational purposes. All secrets are redacted in this report. If you find your project listed and want to rotate your credentials, check out the GitHub Secret Scanning docs. If you'd like your project removed from this report, please reach out.
Projects Not Scanned
Projects without GitHub links (55)
AgentRewind Agri Lens AtriaAI AutoDuty Desktop Autonomous Chip Fabrication Autopen AI BeeWork BiasArena Bloom BukhaarSaathi C3 CHECKR RIFFAI Atlas CoachCam Daisy Data Mapping for Social Equity Dive Buddy Doppelganger Figaro Fitz Flashpoint: AI Wildfire Incident Commander ✨ Flux Heirloom Hellocare Coco AI JATLAS Jetsam LifeLearn LifeOS LightCell v1.0 MCP-Forge Memory Anchors Minerva MixMate Mobius: the first AI Agent to build a billion dollar company Patina PivotCraft Plotd Power Lever RT-Treat: Real-time neuronal analysis for epilepsy treatment research atelier Resonant CWPP: AI Wildfire Safety Advisor RoadRangers s-Ai-lor StubbleX SideQuest Strata Current TradeProof Trading XR Velari Veritas Arena Wavelength What If? ZoneZero
Private / failed repos (28)
| Project | Status | Error |
|---|---|---|
| AERO//SAR | private_repo | repository not found or private |
| Tidepool Education | private_repo | repository not found or private |
| EMResponse | private_repo | repository not found or private |
| Bella | private_repo | repository not found or private |
| BossRoom - Gamifying Work Across 900+ Apps | private_repo | repository not found or private |
| bubbdy - ai lancher | private_repo | repository not found or private |
| CalTrack | private_repo | repository not found or private |
| CoJam | private_repo | repository not found or private |
| Daylight | private_repo | repository not found or private |
| general magic | private_repo | repository not found or private |
| Happy Moments | private_repo | repository not found or private |
| kin.ai | private_repo | repository not found or private |
| Project helper | private_repo | repository not found or private |
| Salus | private_repo | repository not found or private |
| School of Fish | private_repo | repository not found or private |
| Sentinel | private_repo | repository not found or private |
| SEO Ghostwriter Agent | private_repo | repository not found or private |
| ServeNow | private_repo | repository not found or private |
| SiriClaw - an AI agent that executes tasks on your phone. | private_repo | repository not found or private |
| Spartan | Edge AI Situational Helmet for First Responders | private_repo | repository not found or private |
| Sunday | private_repo | repository not found or private |
| Carets | private_repo | repository not found or private |
| The First Match | private_repo | repository not found or private |
| Trading in XR with pico | private_repo | repository not found or private |
| YOGA-XR | private_repo | repository not found or private |
| Drifter | error | clone timeout |
| Tribune | error | clone timeout |
| VIPER | error | clone timeout |