Use GitHub's private vulnerability reporting (Security tab → "Report a vulnerability"). Do NOT open a public issue for security-sensitive reports.
This plugin ships text from assistant messages to a user-configured translation endpoint (default: Microsoft Translator's unofficial Edge endpoint). It ships best-effort regex redaction for common secret patterns (AWS keys, GH tokens, JWTs, etc.) before sending text.
Important caveat (will appear verbatim in README):
Redaction is best-effort regex matching. It is NOT a security control. Sensitive data may still leak. The only reliable way to keep secrets out of translation is not to put them in your LLM prompts.
The latest released version is supported. Older versions receive security patches at the maintainer's discretion.