Dices Alpha Get Dices

Privacy & Security

The honest privacy and security model — what runs on-device, how secrets are stored, how the remote server is locked down, and where your responsibilities lie.

Dices is built on-device by default: your code, your voice, and your codebase index stay on your machine, and the only thing that goes out is the model API calls you authorize. This page lays out the security model honestly — what’s local, how secrets are protected, how remote access is locked down, and what’s on you.

On-device by default

Two of the features that would normally phone home run locally in Dices:

  • Voice — transcription uses local Whisper on-device by default (see Voice Input).
  • Codebase index — the index that lets agents understand your project is built with local embeddings, on your machine.

Your code never leaves your machine except as context in the model API calls you authorize. In other words, the only outbound path for your code is the prompt you choose to send to a model — and that’s a call you control.

Note: “On-device by default” is a default, not a cage. If you opt into cloud voice (Settings → Voice) or run a hosted model, the relevant data goes to that provider — because you asked it to. The defaults keep things local until you decide otherwise.

Secrets

Sensitive credentials — API keys and SSH passwords — are handled carefully:

  • Encrypted at rest via the OS keychain. Dices doesn’t keep your secrets in plain text.
  • Never exposed to the UI. The interface only ever sees a “saved” boolean — it knows that a key exists, not what the key is. There’s no field that reads a secret back out.
SecretStorageVisible in UI
API keysOS keychain (encrypted at rest)“Saved” only
SSH passwordsOS keychain (encrypted at rest)“Saved” only

Provider terms & credentials

Dices never handles your provider credentials beyond your own API key:

  • Claude authenticates with your own Anthropic API key — created at console.anthropic.com, billed to you, and stored encrypted. Dices does not support logging in with a Claude Pro/Max or Claude Code subscription, because Anthropic’s Consumer Terms don’t permit subscription use in third-party apps.
  • Other agents (Codex, Gemini, Cursor, Hermes, Pi) authenticate in their own official vendor CLI — you install that CLI and sign in there, and Dices connects over the open ACP protocol. Gemini also needs a GEMINI_API_KEY.
  • You are responsible for complying with each provider’s terms of service.

Note: Dices is an independent tool and is not affiliated with or endorsed by Anthropic, OpenAI, Google, or any other provider. Brand and product names belong to their respective owners.

Remote server

When you use Dices remotely (for example, from your phone), the remote server is locked down by default:

  • Binds to Tailscale (encrypted) and loopback only — not the open LAN.
  • Token-gated — access requires a token, not just network reach.
  • LAN is an explicit opt-in — exposing the server to your local network is something you have to deliberately turn on; it never happens by default.

Warning: Only enable LAN exposure if you understand and trust your network. The safe default — Tailscale + loopback, token-gated — keeps the server off the open LAN.

Skills

Skills extend what your agents can do, which means they can run code — so Dices makes you look before you install:

  • Previewed with security flags before install, so you can see whether a skill ships scripts, has shell-injection risk, or requests specific allowed-tools.
  • Unicode-sanitized to defuse hidden or deceptive characters.
  • Default project scope — a newly installed skill is scoped to the project by default, not granted globally.

Tip: Read the security flags on a skill the way you’d read permissions on a phone app. If a simple skill is asking for scripts or broad tool access, ask why before installing.

Agent permissions

You decide how much latitude an agent has, on a spectrum from supervised all the way to full access:

  • Supervised — the agent asks for approval before acting; you get approval prompts for the things it wants to do.
  • …through to full access — the agent can act without stopping to ask.

Choose the level that matches your trust in the task. Approval prompts surface in the UI (the same “needs input” signal that flags any waiting chat), so a supervised agent never acts behind your back.

Your responsibilities

A short, honest note: skills and agents can run code with your permissions. Dices gives you the tools to vet them — security flags on skills, a supervised-to-full permission spectrum, local-by-default processing, encrypted secrets — but the trust decisions are yours. Install skills you’ve reviewed, grant agents the access a task actually needs, and keep the remote server on its safe defaults unless you have a reason to change them.

At a glance

AreaDefault posture
VoiceLocal Whisper, on-device
Codebase indexLocal embeddings, on-device
Your codeLeaves only as authorized model API context
SecretsEncrypted at rest (OS keychain), never shown in UI
Remote serverTailscale + loopback, token-gated; LAN opt-in
SkillsSecurity-flag preview, Unicode-sanitized, project scope
AgentsYou choose supervised → full access

Next steps

  • FAQ & Tips — the quick answers, including “does my code leave my machine?”
  • Voice Input — local vs cloud transcription in detail.
  • Integrations — where API keys come into play.
← Previous FAQ & Tips