Fenek
GitHub

Security

What leaves your computer

Fenek is a local, read-only tool. Here is every request it makes over the network, how to verify each one against the source, and how your keys are kept.

What leaves your computer
Fenek talks to your brokers — and to no one else.
Your machine
Claude Desktop + Fenek
HTTPS
Your broker
Official read-only API
The developer
No server. No analytics.
Fenek has no backend. Nothing routes through the author, so there is nowhere else for your data to go.
Read-only requests
Keys stay in your OS keychain
Zero telemetry

Four kinds of outbound requests

Exactly four kinds of outbound requests leave your machine, and you can verify each one in the source code:

  1. Calls to your brokers’ official APIs (Trading 212, Bybit, public blockchain explorers) — that’s the product.
  2. A weekly anonymous version check against api.github.com. Only the latest release number is read from the response. Turn it off with the “Check for updates weekly” toggle in extension settings.
  3. A monthly license check against api.polar.sh — Pro only. It sends just your license key and reads back whether the subscription is active. Free builds and source builds never make this call.
  4. Nothing else. No analytics, no error reporting, no telemetry. This website has no analytics or cookies either.

Verify it yourself

Don’t take our word for it. Clone the repository and list every outbound call:

# every outbound network call in the codebase
grep -rn "fetch(" src/

Every request goes through the broker clients named above — there is no other network code. Read all of it on GitHub.

Your keys

Claude Desktop stores your API keys in your operating system’s keychain (macOS Keychain / Windows Credential Manager) — the fields are marked sensitive. Fenek never logs them, never prints them, and never puts them in an error message.

When you create a key at your broker, enable read permissions only:

  • Trading 212 — account, portfolio, and history. No Orders.
  • Bybit — the read groups only (Unified Trading, Assets/Wallet, Earn). No Trade, no Withdraw, no Transfer.
  • Crypto wallets — paste public addresses only. They are read keyless; no key or secret is ever involved.

Release provenance

Every .mcpb is built in GitHub Actions with a build-provenance attestation, so you can confirm the file you downloaded was produced by the public CI from this source — not swapped or tampered with. Verify it before installing:

# checks the download against its signed build provenance
gh attestation verify fenek-portfolio-companion.mcpb \
  --repo Guck111/fenek-portfolio-companion

A genuine download prints ✓ Verification succeeded!. Anything else means the file did not come from this repository’s CI — don’t install it.