Two Google OAuth client secrets are hardcoded and publicly visible in your repository:
File: src/core/provider_templates/fixed_providers.py
ProviderType.GEMINI_CLI — client_secret: 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ProviderType.ANTIGRAVITY — client_secret: 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
These are Google OAuth client secrets (GOCSPX- prefix). The file comment acknowledges these were copied from CLIProxyAPI and are sensitive. Anyone with access to this repository can use these to impersonate the OAuth clients and potentially intercept authorization flows.
Recommended actions:
- Remove both client_secret values from the file immediately
- Report the exposed secrets to Google at https://bughunters.google.com so they can rotate them — since these appear to be Google's own internal CLI credentials, Google is the party that needs to act
- Load client secrets from environment variables rather than hardcoding them
- If these values exist in git history, use git-filter-repo to purge them
Reporting in good faith. I have not used these credentials.
Two Google OAuth client secrets are hardcoded and publicly visible in your repository:
File:
src/core/provider_templates/fixed_providers.pyProviderType.GEMINI_CLI— client_secret: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ProviderType.ANTIGRAVITY— client_secret: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These are Google OAuth client secrets (GOCSPX- prefix). The file comment acknowledges these were copied from CLIProxyAPI and are sensitive. Anyone with access to this repository can use these to impersonate the OAuth clients and potentially intercept authorization flows.
Recommended actions:
Reporting in good faith. I have not used these credentials.