tokenmaxxer is a local Claude Code plugin. It reads local CLI credentials, writes local sidecar files, and can delegate work to other local CLIs. Treat it as a trusted local automation layer, not as a remote multi-tenant service.
Please report suspected vulnerabilities through GitHub Private Vulnerability Reporting:
https://github.com/pkyIntelligence/tokenmaxxer/security/advisories/new
Do not open a public issue with exploit details, credential material, or reproduction steps that would let others abuse the issue before a fix exists. If Private Vulnerability Reporting is unavailable, open a public issue that asks for a maintainer contact path without including sensitive details.
Expected handling:
- Acknowledgement or triage response within 72 hours.
- Status update at least every 14 days until the report is resolved.
- Coordinated disclosure after a fix or mitigation is available.
Pre-release security and bug review for the 0.2.0 codebase was performed by Claude Opus 4.7 (1M context) and OpenAI Codex (GPT 5.5) across multiple review cycles — initial audit, fix verification, and follow-up sweeps after each round of fixes. AI-assisted review complements rather than replaces human review or a formal third-party audit. Users running tokenmaxxer in security-sensitive environments should perform their own review before installation.
The /tokenmaxxer:opencode, /tokenmaxxer:gemini, and
/tokenmaxxer:copilot commands run backend CLIs in non-interactive mode in the
current workspace. The external Codex plugin's codex-rescue subagent is also
a delegate route when that plugin is installed alongside tokenmaxxer. These
delegates may read files, write files, or run tools according to their own
permissions. Copilot specifically requires --allow-all-tools for the
non-interactive invocation used by this plugin.
Do not forward untrusted instructions directly to these delegates. If a task is based on hostile or unknown content, first summarize or sanitize the content on the main Claude thread, then delegate only the cleaned task. For work that may contain prompt injection, use a disposable checkout or keep the task on Claude until the unsafe instructions have been separated from the actual request.
Kill switches:
TOKENMAXXER_OPENCODE_DISABLED=1TOKENMAXXER_GEMINI_DISABLED=1TOKENMAXXER_COPILOT_DISABLED=1
scripts/statusline.sh is a renderer. It reads sidecars and the per-turn
statusline JSON from stdin. It must not start network refreshes or backend CLIs.
The only write it performs is the Claude rate-limit cache at
~/.claude/.tokenmaxxer-claude.json, which contains non-secret percentages and
reset epochs.
Network refreshes live in hooks/refresh-*.sh and explicit telemetry flows such
as skills/check-usage.md.
OpenCode dashboard scraping stores the browser auth cookie in
~/.claude/.tokenmaxxer-opencode-go.json with 0600 permissions. The
cookie helper prompts for that value through the manual flow documented in
docs/backends/opencode.md. tokenmaxxer never opens a browser with
--remote-debugging-port and never reads cookies from the user's browser
profile.
The Gemini refresh hook rewrites ~/.gemini/oauth_creds.json in place when
the OAuth access token expires — the same refresh-and-persist flow
gemini-cli itself performs. The hook does not embed Google OAuth client
values; it uses local credential metadata or TOKENMAXXER_GEMINI_OAUTH_CLIENT_*
environment variables for refresh requests. The hook updates only
.access_token and .expiry_date, leaves the refresh token untouched, writes
the replacement file with umask 077 (mode 0600), and refuses to follow the
path if it has become a symlink.
The usage sidecars under ~/.claude/.tokenmaxxer-*.json (Codex, Copilot,
Gemini, OpenCode quota, Claude rate-limit cache) contain quota percentages
and reset times, not access tokens. Refresh hooks refuse to replace a sidecar
path that is already a symlink.
Claude is the routing decision-maker. When the route or check-usage skill
fires (typically before Claude decides whether to delegate non-trivial work),
the per-backend quota percentages and reset epochs from the quota sidecars
listed above are loaded into Claude's context for that turn and reach
Anthropic's API as part of the prompt — the same way any other local file
Claude Code reads reaches Anthropic's API.
Specifically in scope: percentages, reset epochs, plan/SKU strings, status
strings (auth_failed, not_subscribed, etc.), the tier and
cloudaicompanion_project strings from the Gemini sidecar.
Specifically out of scope: the OAuth tokens at ~/.codex/auth.json,
~/.gemini/oauth_creds.json, and ~/.local/share/opencode/auth.json; the
OpenCode dashboard cookie at ~/.claude/.tokenmaxxer-opencode-go.json. The
skills do not read those files.
The statusline renderer also has access to the same quota data via stdin and the sidecars, but the statusline output is rendered locally only — it is not itself a Claude prompt and does not reach Anthropic's API.