Description
Z.ai (https://z.ai) API keys appear to be exposed in public repos, and TruffleHog does not currently detect them. These keys are used as Bearer tokens or x-api-key values for Z.ai endpoints like https://api.z.ai/api/paas/v4 and https://api.z.ai/api/anthropic.
Observed example (public repo):
kaounen/oagb in ZAI_GUIDE.md (contains a full key; public exposure)
Key format appears to be:
- 32 hex characters, a dot, then 16 alphanumeric characters.
Example format (synthetic):
0123456789abcdef0123456789abcdef.A1b2C3d4E5f6G7h8
Preferred Solution
Add a detector for Z.ai API keys, e.g. zai_api_key, with a regex similar to:
(?i)\b[0-9a-f]{32}\.[A-Za-z0-9]{16}\b
Consider keyword/context hints:
z.ai, zai, ZAI_API_KEY, Z_AI_API_KEY, Authorization: Bearer, x-api-key
No known online verification endpoint for safe validation; format + context match should be sufficient.
Additional Context
Z.ai is an API gateway for models (Claude, GLM, etc.). Keys are used as API tokens to access api.z.ai endpoints.
References
Description
Z.ai (https://z.ai) API keys appear to be exposed in public repos, and TruffleHog does not currently detect them. These keys are used as Bearer tokens or x-api-key values for Z.ai endpoints like
https://api.z.ai/api/paas/v4andhttps://api.z.ai/api/anthropic.Observed example (public repo):
kaounen/oagbinZAI_GUIDE.md(contains a full key; public exposure)Key format appears to be:
Example format (synthetic):
0123456789abcdef0123456789abcdef.A1b2C3d4E5f6G7h8Preferred Solution
Add a detector for Z.ai API keys, e.g.
zai_api_key, with a regex similar to:(?i)\b[0-9a-f]{32}\.[A-Za-z0-9]{16}\bConsider keyword/context hints:
z.ai,zai,ZAI_API_KEY,Z_AI_API_KEY,Authorization: Bearer,x-api-keyNo known online verification endpoint for safe validation; format + context match should be sufficient.
Additional Context
Z.ai is an API gateway for models (Claude, GLM, etc.). Keys are used as API tokens to access
api.z.aiendpoints.References