Leaked Credentials Detected
Hi there! While reviewing public repositories submitted to the Gemini Live Agent Challenge, we ran an automated security scan and found exposed credentials in this repo.
This repository contains high-severity leaked credentials (private-key). These credentials may grant access to external services and should be revoked immediately.
What was found
| File |
Credential Type |
.streamlit/extendFaceBookToken.py |
generic-api-key |
.streamlit/verifyKeysold.py |
private-key |
Reddit_Devvit_Web/youtube_transcript_api/test/assets/youtube.html.static |
gcp-api-key, generic-api-key |
Reddit_Devvit_Web/youtube_transcript_api/test/assets/youtube.innertube.json.static |
generic-api-key |
Reddit_Devvit_Web/youtube_transcript_api/test/assets/youtube_age_restricted.innertube.json.static |
generic-api-key |
Reddit_Devvit_Web/youtube_transcript_api/test/assets/youtube_altered_user_agent.innertube.json.static |
generic-api-key |
Reddit_Devvit_Web/youtube_transcript_api/test/assets/youtube_po_token_required.innertube.json.static |
generic-api-key |
Reddit_Devvit_Web/youtube_transcript_api/test/assets/youtube_request_blocked.innertube.json.static |
generic-api-key |
Reddit_Devvit_Web/youtube_transcript_api/test/assets/youtube_too_many_requests.html.static |
generic-api-key |
Reddit_Devvit_Web/youtube_transcript_api/test/assets/youtube_transcripts_disabled.innertube.json.static |
generic-api-key |
Reddit_Devvit_Web/youtube_transcript_api/test/assets/youtube_transcripts_disabled2.innertube.json.static |
generic-api-key |
Reddit_Devvit_Web/youtube_transcript_api/test/assets/youtube_unplayable.innertube.json.static |
generic-api-key |
Reddit_Devvit_Web/youtube_transcript_api/test/assets/youtube_video_unavailable.innertube.json.static |
generic-api-key |
Reddit_Devvit_Web/youtube_transcript_api/test/assets/youtube_ww1_nl_en.innertube.json.static |
generic-api-key |
Recommended actions
- Revoke and rotate all exposed credentials immediately
- Remove secrets from code — use environment variables or a secrets manager instead
- Add
.env to .gitignore to prevent future commits of secret files
- Scrub git history — even after deleting the file, secrets remain in git history. Use git-filter-repo or BFG Repo-Cleaner to remove them
- Consider using Google Secret Manager for production deployments
About this scan
This issue was created as part of a responsible disclosure effort after scanning public hackathon submissions. No credentials were used or exploited — only a read-only API endpoint was called to check if keys were active. The actual secret values are not included in this issue.
If you believe this is a false positive, feel free to close this issue.
Leaked Credentials Detected
Hi there! While reviewing public repositories submitted to the Gemini Live Agent Challenge, we ran an automated security scan and found exposed credentials in this repo.
This repository contains high-severity leaked credentials (private-key). These credentials may grant access to external services and should be revoked immediately.
What was found
.streamlit/extendFaceBookToken.pygeneric-api-key.streamlit/verifyKeysold.pyprivate-keyReddit_Devvit_Web/youtube_transcript_api/test/assets/youtube.html.staticgcp-api-key,generic-api-keyReddit_Devvit_Web/youtube_transcript_api/test/assets/youtube.innertube.json.staticgeneric-api-keyReddit_Devvit_Web/youtube_transcript_api/test/assets/youtube_age_restricted.innertube.json.staticgeneric-api-keyReddit_Devvit_Web/youtube_transcript_api/test/assets/youtube_altered_user_agent.innertube.json.staticgeneric-api-keyReddit_Devvit_Web/youtube_transcript_api/test/assets/youtube_po_token_required.innertube.json.staticgeneric-api-keyReddit_Devvit_Web/youtube_transcript_api/test/assets/youtube_request_blocked.innertube.json.staticgeneric-api-keyReddit_Devvit_Web/youtube_transcript_api/test/assets/youtube_too_many_requests.html.staticgeneric-api-keyReddit_Devvit_Web/youtube_transcript_api/test/assets/youtube_transcripts_disabled.innertube.json.staticgeneric-api-keyReddit_Devvit_Web/youtube_transcript_api/test/assets/youtube_transcripts_disabled2.innertube.json.staticgeneric-api-keyReddit_Devvit_Web/youtube_transcript_api/test/assets/youtube_unplayable.innertube.json.staticgeneric-api-keyReddit_Devvit_Web/youtube_transcript_api/test/assets/youtube_video_unavailable.innertube.json.staticgeneric-api-keyReddit_Devvit_Web/youtube_transcript_api/test/assets/youtube_ww1_nl_en.innertube.json.staticgeneric-api-keyRecommended actions
.envto.gitignoreto prevent future commits of secret filesAbout this scan
This issue was created as part of a responsible disclosure effort after scanning public hackathon submissions. No credentials were used or exploited — only a read-only API endpoint was called to check if keys were active. The actual secret values are not included in this issue.
If you believe this is a false positive, feel free to close this issue.