Skip to main content

Security and Privacy Limitations

PastePrompt is designed to make LLM context workflows more deliberate, local, and reproducible. It does not eliminate the need for human review or careful handling of source code.

What PastePrompt does not guarantee

PastePrompt does not guarantee:

  • That no secret is ever copied, exported, pasted, attached, or uploaded.
  • Perfect secret detection.
  • Perfect token counts.
  • Complete dependency discovery.
  • Vulnerability detection.
  • Correct LLM output.
  • Compliance with any legal, regulatory, or certification framework.
  • Protection after a user shares a bundle with another tool or service.

These are important limits. The app is a context builder and workflow tool, not a security certification system, LLM provider, cloud DLP product, or replacement for auditor judgment.

Secret scanning limits

When enabled, the scanner can catch likely secrets before copy or export, but it can miss custom formats, encoded values, split strings, binary files, short tokens, or organization-specific sensitive values. It can also flag harmless examples, tests, and fixtures.

Treat scanner output as a review gate. Do not treat a clean scan as proof that a bundle is safe.

Token-counting limits

Token counts are estimates. They can differ from provider UI because LLM tools use different tokenizers, hidden system prompts, message wrappers, attachment formats, and tool-specific overhead.

Use token counts to budget context, not to predict exact provider billing or exact model behavior.

LLM workflow limits

PastePrompt does not include ChatGPT, Claude, Codex, Gemini, Cursor, or local model access. You choose where to paste or attach generated bundles.

LLMs can miss bugs, invent bugs, misunderstand code, overstate confidence, or ignore instructions. PastePrompt does not validate model output. Users remain responsible for checking claims against source code, tests, traces, and project intent.

Local-machine limits

Local-first processing assumes your local machine and user account are trustworthy enough for the repository you are reviewing. A compromised machine, malicious local app, invasive clipboard manager, unsafe shell environment, or untrusted editor extension can still expose local files or copied bundles.

  1. Select the smallest useful context.
  2. Keep .env, production credentials, local deployment files, and private config out of selected context.
  3. Use .pastepromptignore for PastePrompt-specific exclusions.
  4. Review generated bundles before sharing.
  5. Enable secret scanning for sensitive repositories and resolve warnings before copy or export.
  6. Use trusted LLM providers and approved workspaces for sensitive code.
  7. Store exported bundles like source-code artifacts.
  8. Verify LLM findings manually with code evidence and tests.
  9. Preserve Git refs, context hashes, and exported artifacts when reproducibility matters.