• Recommended: Store API keys in environment variables

  export GEMINI_API_KEY="your-api-key-here"
  export GROK_API_KEY="your-grok-api-key-here"

• Never hardcode API keys directly in source code
• Never commit API keys to version control

• For Google Cloud environments, use ADC when possible:

  gcloud auth application-default login

• ADC provides automatic key rotation and better security

• While --api-key flag is available, avoid using it in shared environments
• Command-line arguments may be visible in process lists
• Prefer environment variables or ADC

• Chat history is stored locally in ./history directory by default
• Contains conversation data that may include sensitive information
• Set appropriate file permissions:

  chmod 700 ./history

• Consider encrypting the history directory on sensitive systems

• Tool definition files may contain sensitive data
• Store configuration files with restrictive permissions:

  chmod 600 config.json

• All API communications use HTTPS by default
• gRPC connections are encrypted with TLS
• WebSocket connections upgrade from HTTPS

• Respects standard proxy environment variables:
  • HTTPS_PROXY
  • HTTP_PROXY
  • NO_PROXY

• Use --require-approval flag for untrusted environments
• Review each tool call before execution
• Auto-approve only trusted tools with Ctrl+A toggle

• Be cautious with tools that:
  • Execute system commands
  • Access filesystem
  • Make network requests
  • Handle sensitive data

• Bind to localhost only by default
• Use authentication when exposing to network:

  aistudio --mcp-server --port 8080 --bind 127.0.0.1

• Verify MCP server certificates
• Use encrypted transports (HTTPS/WSS) for remote servers
• Validate tool capabilities before enabling

• Audio is processed locally before transmission
• Voice activity detection prevents unnecessary streaming
• Mute functionality available with keyboard shortcuts

• Camera and screen capture require explicit user consent
• Privacy mode disables all video inputs
• Frame data is not stored unless explicitly configured

• Streamed audio/video is not retained by default
• Recording features require explicit opt-in
• Clear recordings after use

• Production logs should not contain:
  • API keys or tokens
  • Personal conversation content
  • Tool execution results with sensitive data

• Use --debug only in development
• Debug logs may contain sensitive information
• Disable debug logging in production

1. Principle of Least Privilege

   • Grant minimum necessary permissions
   • Use read-only access where possible
   • Limit tool capabilities

2. Regular Updates

   • Keep dependencies updated
   • Monitor security advisories
   • Update Go runtime regularly

3. Environment Isolation

   • Use separate API keys for dev/staging/production
   • Isolate sensitive operations
   • Use containers or VMs for additional isolation

4. Monitoring

   • Monitor API usage for anomalies
   • Set up alerts for unusual activity
   • Review tool execution logs

5. Incident Response

   • Rotate API keys immediately if compromised
   • Review history files for sensitive data exposure
   • Document security incidents

If you discover a security vulnerability:

1. Do NOT create a public GitHub issue
2. Email security concerns to the maintainer
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if available)

• This software processes data through third-party APIs
• Ensure compliance with your organization's data policies
• Review Terms of Service for API providers
• Consider data residency requirements