Comment by pxc

Don't pass secrets via CLI args. Not only do they end up in your shell history, but they can easily be grabbed just by inspecting the list of running processes.

And you've got all this "supply chain security" window dressing except nobody knows who you are and there's no community. So we have lots of records verifying that the published artifacts were authentically built by... someone... somehow.

This is AI slop, with a careless, checklisty, notion of what makes software secure.

The marketing language and actual design of the tool are also incoherent ("no server" and "no trust" both contradict how this thing actually works).

This post should probably be not just criticized, but flagged and removed.