AgenticCLI
▮ shipguardis a free, local security gate for AI-built apps — 5 checks in ~2s.$ npm i -g @agenticcli/shipguard

Claude Code hardcoded a Stripe key. Here's how it happens.

8 min · jun 2026 · severity: critical · category: secrets

Short answer: AI coding agents hardcode secrets because a literal value is the shortest path to a passing test, and linters stay silent because a hardcoded string is valid syntax. The fix is a local security gate — shipguard scan — that knows sk_live_ is a Stripe secret and exits non-zero before you deploy.

Ask an agent to “make checkout work” and it will — and if your key is in the prompt context, it pastes it straight into the source. The test passes. The diff looks clean. You ship.

The exact pattern

It almost always looks like this — a working value used directly instead of an environment lookup:

- const key = "sk_live_4f8aBc92xK…"+ const key = process.env.STRIPE_KEY // shipguard: payments:hardcoded-key · critical

Why linters don’t catch it

Linters check style and syntax, not consequence. A hardcoded string is valid JavaScript. What’s needed is a check that knows sk_live_ is a Stripe secret and refuses with a non-zero exit code.

ShipGuard’s secrets check matches 40+ key formats — locally, in about 2 seconds, without your code leaving the machine.

FAQ

Why do AI coding agents hardcode secrets?
The literal value is the shortest path to a passing test. Nothing in the agent loop pushes back — the linter is happy, the types check, the demo works.
Why don't linters catch hardcoded API keys?
Linters check style and syntax. A hardcoded string is valid JavaScript, so it passes. Catching it needs a rule that knows sk_live_ is a Stripe secret and refuses with a non-zero exit code.
How do I stop this before deploy?
Run a local security gate like ShipGuard in your pre-push hook or CI. shipguard scan exits non-zero when it finds a hardcoded secret, blocking the deploy.

────────[ ▮ gate ]────────

Don't ship the next one.

Free, local, no account. Catches this exact bug class before deploy.

$ npx @agenticcli/shipguard scan