Y Combinator Claims Code Stays Offline But Uploads Source Code, Local AI Analysis Tool Paxel Goes Online Only to Be Exposed by the Community

According to Sentinel Beating monitoring, Y Combinator has released a free AI code analysis tool called Paxel, claiming the code will "never leave your machine." However, just hours after the release, the security community debunked the "local execution" false advertising through reverse engineering.

Reverse engineering revealed that Paxel actually frequently sends sensitive data externally. File contents accessed by developers, code modifications, autocomplete suggestions pasted in input fields – all are uploaded to a large language model proxy. Local file paths, Bash commands run in the terminal, and local Git configuration with usernames and email addresses are also transmitted to Y Combinator servers. Default Sentry error monitoring is enabled, continuously sending local code line counts and Git commit history externally.

The developer community widely ridiculed the so-called local analysis as nothing more than locking your door and then mailing the key to a third party. They criticized the localization marketing as a true example of "privacy whitewashing".