- Your GitHub token is stored in
~/.config/ghscope/config.json(mode0600, owner-readable only) - API responses are cached as JSON in
~/.cache/ghscope/— these are public-repo responses and contain no credentials - Nothing is sent anywhere other than
api.github.comand the package registry endpoints used by the dependency checker (proxy.golang.org,registry.npmjs.org,crates.io,pypi.org)
If you find a security issue — especially anything related to token handling or unintended data exfiltration — please do not open a public issue.
Email: security@phlx.dev
Or use GitHub private vulnerability reporting if you prefer to stay on-platform.
Include:
- A description of the issue and its impact
- Steps to reproduce
- Any relevant code snippets or logs (redact tokens)
I aim to respond within 48 hours and to ship a fix within 7 days for anything critical.
| In scope | Out of scope |
|---|---|
| Token leakage or exfiltration | GitHub API rate limiting |
| Unintended file writes | Cosmetic TUI glitches |
| Dependency with a known CVE | Third-party registry uptime |