Skip to main content

E1001 -- API key found in agent settings file

Severity: ERROR. Run controlzero migrate to fix.

What happened

controlzero doctor found a Control Zero API key (cz_live_... or cz_test_...) baked into a hook command inside an agent settings file. Common locations:

  • ~/.claude/settings.json (Claude Code)
  • ~/.gemini/settings.json (Gemini CLI)
  • ~/.codex/config.toml (Codex CLI)
  • Cursor / Windsurf / VS Code Copilot / Cline / Antigravity / Adal / JetBrains MCP config files

Why it matters

When the coding agent invokes the hook, it runs the command literally, which means the API key appears as part of the process arguments. The key is then visible to:

  • Anyone reading the agent's terminal scrollback
  • Process listings (ps aux) on the same machine
  • Shell history (if the agent logs the command line)
  • Log files the agent writes
  • Crash dumps and core files
  • Any process running as the same user

If you screenshare or screen-record while the agent is active, the key is captured there too. The 2026-05-14 customer screenshot incident is what this check exists to prevent recurring.

How to fix

Run the auto-fix:

controlzero migrate

migrate does three things:

  1. Removes the inline CONTROLZERO_API_KEY=cz_live_... prefix from every leaked hook command.
  2. Writes the key to ~/.controlzero/config.yaml with permissions 0600 (owner-only).
  3. Sets ~/.controlzero/ to 0700 so the file is protected even if another local user tries to read it.

After migrate, run controlzero doctor again to confirm the box is clean.

Manual fix

If you prefer to fix the file by hand, edit the agent settings file and change:

{
  "command": "CONTROLZERO_API_KEY=cz_live_abcd1234 controlzero hook-check"
}

to:

{
  "command": "controlzero hook-check"
}

Then write the key to ~/.controlzero/config.yaml:

api_key: cz_live_abcd1234

and tighten the permissions:

chmod 700 ~/.controlzero
chmod 600 ~/.controlzero/config.yaml

After the fix

Rotate the leaked key. Even after you've cleaned the file, the key may already be present in terminal scrollback, screen recordings, or backup files. Rotate it in the dashboard (Settings -> API Keys -> Revoke and create new) and update ~/.controlzero/config.yaml with the new value.

Prevent recurrence

  • Always upgrade to the latest controlzero SDK before running controlzero install <agent>. Versions before 1.5.2 wrote the inline form; 1.5.2 and later write only the safe form.
  • Run controlzero doctor after every install.
  • Wire bash scripts/ci/check-no-key-leaks.sh into your CI if you check agent settings files into version control.