I ran YCombinator's Paxel under a live HTTPS wiretap. It sends your Cloudflare OAuth tokens, git email, and verbatim Claude prompts to YC servers
YCombinator's Paxel tool, which analyzes AI coding sessions, transmits sensitive user data including Cloudflare OAuth tokens, git email addresses, and verbatim user prompts sent to Claude's LLM proxy servers. This data transmission occurs even before the tool's Docker container starts and includes detailed behavioral reports with bash command histories. The tool strips file contents and LLM responses but sends user input prompts unaltered. This exposure was confirmed through live HTTPS interception and packet capture. The vendor has not provided a patch or official remediation guidance at this time.
AI Analysis
Technical Summary
Paxel, a YCombinator tool designed to analyze AI coding sessions, sends sensitive data such as Cloudflare OAuth tokens (cfoat_), git email addresses, and verbatim user prompts to YCombinator's LLM proxy servers at paxel.ycombinator.com. The OAuth tokens are not scrubbed by the tool's secret scrubbing mechanism, leading to critical exposure. The git email is sent unconditionally before the Docker environment starts. Additionally, a detailed behavioral report including session narratives and bash command histories is uploaded per run. These findings were confirmed by live HTTPS interception and packet capture, with no indication of vendor-provided fixes or mitigations.
Potential Impact
Exposure of Cloudflare OAuth tokens can lead to unauthorized access to Cloudflare services if tokens are compromised. Disclosure of git email addresses can reveal user identity information. Sending verbatim user prompts to third-party LLM proxy servers risks leakage of potentially sensitive or proprietary information typed during AI coding sessions. The behavioral report upload further exposes detailed user activity and command history. No known exploits in the wild have been reported, but the data exposure represents a significant privacy and security risk.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix or update is provided by YCombinator, users should avoid running Paxel in environments where sensitive Cloudflare OAuth tokens or private data might be exposed. Consider isolating or sandboxing the tool and monitoring network traffic for unexpected data transmissions. Researchers are encouraged to validate these findings independently.
I ran YCombinator's Paxel under a live HTTPS wiretap. It sends your Cloudflare OAuth tokens, git email, and verbatim Claude prompts to YC servers
Description
YCombinator's Paxel tool, which analyzes AI coding sessions, transmits sensitive user data including Cloudflare OAuth tokens, git email addresses, and verbatim user prompts sent to Claude's LLM proxy servers. This data transmission occurs even before the tool's Docker container starts and includes detailed behavioral reports with bash command histories. The tool strips file contents and LLM responses but sends user input prompts unaltered. This exposure was confirmed through live HTTPS interception and packet capture. The vendor has not provided a patch or official remediation guidance at this time.
Reddit Discussion
Paxel is a new YC tool that analyzes your AI coding sessions (Claude Code, Cursor, Codex) and gives you a productivity report. The install is the classic `curl | bash` one-liner.
Before running it I built an HTTPS interception rig — custom Ruby SSL patch injected via Docker wrapper, full mitmproxy capture. Here's what a real run actually sends:
**The findings (all live-capture confirmed, not speculation):** I would request other researchers to do analysis as well.
🔴 CRITICAL — Cloudflare OAuth tokens (`cfoat_`) are NOT in the SecretScrubber's 22-pattern list. If you've ever run `wrangler deploy --api-token cfoat_...` in a Claude Code session, that token goes to YC's LLM proxy verbatim. Confirmed in the actual packet capture.
🟠 HIGH — Your git email is sent to `paxel.ycombinator.com/api/v1/identity/register` *before Docker even starts*, on every run, unconditionally.
🟠 HIGH — Everything *you typed to Claude* (user messages) goes verbatim to YC's LLM proxy. The tool strips Claude's responses and file contents — but your prompts, questions, and debugging thoughts are sent as-is.
🟡 MEDIUM — A 137KB behavioral report is uploaded per run: episode scores, LLM-generated session narratives, and a full timestamped list of every bash command you ran.
The meta moment: the session where I performed this analysis was itself captured by Paxel. The uploaded narrative read: "They specified that potential Wrangler OAuth token or Cloudflare deployment data exposure should be treated as a critical finding." YC received my security findings about their product in the results payload.
Full technical report, interactive data flow visualization, and raw capture analysis in the repo:
👉 https://github.com/trangocomputedev/ycombinator-paxel-security-analysis
Not saying Paxel is malicious — the TranscriptChunker v3 design (strips file contents and Claude responses) is genuinely thoughtful. But "analyzes your sessions" and "sends your prompts, bash commands, and email to third-party LLMs via a YC proxy and stores a behavioral profile" are usefully different descriptions.
I would also request other researchers to do analysis as well for validation.
Links cited in this discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Paxel, a YCombinator tool designed to analyze AI coding sessions, sends sensitive data such as Cloudflare OAuth tokens (cfoat_), git email addresses, and verbatim user prompts to YCombinator's LLM proxy servers at paxel.ycombinator.com. The OAuth tokens are not scrubbed by the tool's secret scrubbing mechanism, leading to critical exposure. The git email is sent unconditionally before the Docker environment starts. Additionally, a detailed behavioral report including session narratives and bash command histories is uploaded per run. These findings were confirmed by live HTTPS interception and packet capture, with no indication of vendor-provided fixes or mitigations.
Potential Impact
Exposure of Cloudflare OAuth tokens can lead to unauthorized access to Cloudflare services if tokens are compromised. Disclosure of git email addresses can reveal user identity information. Sending verbatim user prompts to third-party LLM proxy servers risks leakage of potentially sensitive or proprietary information typed during AI coding sessions. The behavioral report upload further exposes detailed user activity and command history. No known exploits in the wild have been reported, but the data exposure represents a significant privacy and security risk.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix or update is provided by YCombinator, users should avoid running Paxel in environments where sensitive Cloudflare OAuth tokens or private data might be exposed. Consider isolating or sandboxing the tool and monitoring network traffic for unexpected data transmissions. Researchers are encouraged to validate these findings independently.
Technical Details
- Source Type
- Subreddit
- blueteamsec+AskNetsec+Information_Security
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":38,"reasons":["external_link","newsworthy_keywords:ttps","established_author","recent_news"],"isNewsworthy":true,"foundNewsworthy":["ttps"],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a32d742f198dc38c1c77222
Added to database: 6/17/2026, 5:20:02 PM
Last enriched: 6/17/2026, 5:20:09 PM
Last updated: 6/17/2026, 6:23:09 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.