WhereMyTokens reads local AI coding tool data and may use local provider credentials to fetch usage snapshots for enabled providers. Please report security issues privately.
Open a private security advisory on GitHub, or contact the maintainer through the repository owner profile.
Please include:
- Affected version or commit.
- Steps to reproduce.
- What local files, credentials, or network requests are involved.
- Any logs with tokens, secrets, or personal paths redacted.
- No cloud sync.
- No telemetry.
- No separate credential backup.
- Provider usage requests only for enabled providers.
- Antigravity support uses loopback local RPC only.
The latest GitHub Release is the supported version for security fixes.