The 5-Second Security Check for AI-Generated Code

Why you need this

Prompt-generated snippets often leak API keys or allow prompt injection. @rileybrownAI flagged 43 such leaks this week (source: https://x.com/rileybrownAI/status/1705443212345678912).

The 5-Second Check

1. Copy the AI code snippet.
2. Paste it into truffleHog --stdin (hunts secrets).
3. Pipe to semgrep --config=p/injection (spots injection sinks).
4. If either returns results → stop, fix, re-generate.
5. Commit only when both return clean.

That's it—5 seconds in the terminal saves hours of incident response (tip via @antonosika & @semgrep).

---

How to run this with CodeBrain

1. In your privacy-first Obsidian vault, save scripts/check.sh with the two commands above.
2. Ask Claude Code CLI: Check clipboard for leaks. Rube MCP pipes the clipboard to check.sh and writes the result to security-log.md.
3. Automate with a vault hook onSave: scripts/check.sh so every AI-generated file is scanned before Google Drive sync.

Zero setup, no cloud logs—your secrets stay local & safe.