gotr00t0day

gotr00t0day / KeyReaper

Public

Extract and assess exposed Google Cloud (AIza) API keys from web pages. Built for bug bounty hunters and security researchers.

10
0
100% credibility
Found Mar 07, 2026 at 10 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Python
AI Summary

KeyReaper scans websites for exposed Google Cloud credentials and assesses their access to various services like maps, AI, and vision for security research.

How It Works

1
🕵️ Spot risky websites

You notice some websites might have accidentally left secret access codes visible to anyone.

2
📥 Grab the checker

Download the straightforward scanning tool to your computer.

3
📝 List sites to check

Prepare a single web address or a list of pages you want the tool to examine.

4
🔍 Launch the scan

Hit start and watch it comb through the pages and connected files for hidden codes.

5
Pick your depth
📋
Quick list

Get a clean list of all found codes right away.

🧪
Deep test

Test each code against popular services like maps, AI, and search to see the risks.

6
📊 See the discoveries

Review which codes were found and exactly what powerful features they can reach.

🏆 Help secure the web

Save your report and share it with site owners to fix the exposure and earn rewards.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 10 to 10 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is KeyReaper?

KeyReaper scans web pages to extract exposed Google Cloud API keys (AIzaSy format), pulling them from URLs, lists, or even key files for standalone assessment. It follows external JS scripts, validates keys against Gemini, and probes 15 APIs like Maps Geocoding, Cloud Vision, and YouTube Data to report accessible endpoints and risks like quota abuse or data leaks. Built in pure Python 3.6+ with no dependencies, it outputs clean TSV results for bug reports.

Why is it gaining traction?

Zero deps and concurrent workers (up to 20) make it faster than manual curl chains or heavy scanners for extract assessment tasks. It handles referer restrictions and delivers impact summaries—like "LLM access via Gemini"—that justify bounties, standing out from basic regex tools. Bug hunters dig the CLI flags for loose matching or quiet mode, plus GitHub secret extraction vibes for repo audits.

Who should use this?

Bug bounty hunters scanning client-side JS for GCP leaks during recon. Security researchers assessing extract github secrets in pull requests or live sites. Red teams probing for Maps/Translation access in assessment extract online workflows.

Verdict

Grab it for quick GCP key reaper runs if you're in bounties—thorough docs and real API probes punch above 10 stars. But 1.0% credibility signals early maturity; no tests means vet outputs carefully until broader adoption hits.

(178 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.