Here's a security problem most developers don't know they have: every API key your AI coding assistant touches gets saved to an unencrypted local database on your machine.
The mechanics are straightforward. Cursor, Claudee Code](/tools/claude-code/), GitHubb Copilot](/tools/github-copilot/), and similar tools routinely read your .env files as part of normal operation - that's how they help you write integration code. But those files contain secrets: OpenAI API keys, database passwords, AWS credentials. When the AI reads that file, the key gets embedded in the tool's local transcript or state storage. For Cursor, that's a SQLite database sitting at ~/Library/Application Support/Cursor/User/workspaceStorage/. Unencrypted. Readable by any process on your machine.
Sieve is a macOS app built to find these exposed secrets before someone else does. It scans the local storage files left behind by AI coding tools and flags any API keys, tokens, or credentials it finds embedded in chat history. The app is available on the Mac App Store.
The Storage Problem Nobody Warned You About
This isn't a bug in any specific tool - it's a predictable side effect of how AI coding assistants work. To be useful, they need full context about your project. That context includes configuration files with secrets in them. Those secrets end up in conversation logs that persist on disk long after the session ends.
The risk isn't that Cursor or Claude Code uploads your keys anywhere. The concern is local: malware, a compromised development dependency, or any process with file-system access can read these databases without needing elevated permissions. On shared machines or CI environments, the exposure surface gets larger.
Rotating API keys after any session where your AI assistant touched a .env file is the safest practice. But most developers don't do this because they don't know the key was ever saved.
What Sieve Actually Does
Sieve scans the workspace storage directories for Cursor, Claude Code, Cline, and other AI tools and reports which secrets it finds, formatted by tool and session. It's a read-only scanner - it reports findings, it doesn't remediate them. You still need to rotate the flagged keys yourself through each platform's dashboard.
This is a narrow, specific tool. It doesn't monitor in real-time, doesn't integrate with secret managers like 1Password or HashiCorp Vault, and doesn't automate the rotation process. What it does is give you a clear inventory of what's been exposed on your machine, which is the piece most developers are currently missing entirely.
If you use any AI coding assistant for work that involves real credentials - which is nearly everyone using these tools professionally - running a scan is worth a few minutes. Finding a six-month-old OpenAI key sitting in a Cursor workspace database is not a comfortable discovery, but finding it before a breach is much better than the alternative.