The sensitive data that is currently handled by Magic CLI is:
- OpenAI API key, which is stored in the configuration within the user home directory (
~/.config/magic_cli).There are plans to store this token in the system's secure key storage, but this is not yet implemented.
- Embeddings of the shell history for the
magic-cli searchcommand, which are stored in the configuration within the user home directory (~/.config/magic_cli) and are generated using the LLM provider of choice.
Report vulnerabilities to security [at] guywaldman.com.
They will be handled ASAP. If the vulnerability is accepted, a mitigation will be implemented and a proper disclosure will be released. The triage and mitigation process will depend on the potential severity and impact of the vulnerability.