I Audited 3 AI Coding Tools for Privacy — The Difference Is 100x

A developer audited three AI coding tools—Claude Code, Cursor, and Cline—for privacy and found that all archive conversations in local plaintext without informing users. Claude Code stored 43MB of conversation data and saved API keys in plaintext, while Cursor stored passwords in plaintext JSONL. Cline was the only tool to store API keys in the OS keychain but still archived all conversations. None of the tools achieved a perfect privacy score.

Claude Code stores 43MB of your conversations. Cursor saves your passwords in plaintext JSONL. Cline is the only one that puts your API key in the OS keychain — but it still archives everything you say. Not one of them tells you this is happening. Two weeks ago, I discovered Claude Code had silently archived 43MB of my complete conversation history on my machine. I wrote about it. The comments asked: "What about Cursor? What about Cline?" I tested them. The results were more nuanced than I expected. Three tools. Five dimensions. One standardized test script. | Dimension | What I Tested | |---|---| | Conversation Storage | What's stored? Format? Size? | | Credential Security | How is the API key stored? Plaintext or encrypted? | | User Awareness | Does the tool tell you it's archiving your conversations? | | Data Isolation | Can AI in Project A read conversations from Project B? | | Uninstall Residue | Does conversation data survive uninstallation? | In each tool, I typed the same three things: a normal coding question, a database connection string with a password, and an API key. Conversation Storage : ~/.claude/projects/ , JSONL format. One file per session. Opening one 2.3MB session file: | Content | Count | |---|---| | AI responses | 590 | | AI internal thinking | 272 | | Tool calls | 101 | | Tool call results incl. file paths | 100 | | File history snapshots | 208 | Credential Storage : settings.json — plaintext. The built-in Read tool can access this file without restriction. Data Isolation : No. Global history file merges all projects. Uninstall Residue : 19 project directories, 43MB of conversation data. Conversation Storage : agent-transcripts/ , JSONL format. Same structure as Claude Code — user input, AI responses, tool calls all stored. Size depends on conversation length. Stores every user input, every AI response, and every tool it called. Does not store tool execution results or thinking blocks — in Plan mode. Credential Storage : SQLite database stores tokens at 415 bytes each. Better than plaintext. My test password and API key : Both written verbatim into the transcript file. Data Isolation : Yes. Per-project separation. Conversation Storage : Open source, directly auditable. Each task gets its own directory with 4 JSON files: tasks/<taskId / api conversation history.json — Full API messages incl. tool results ui messages.json — Chat UI records task metadata.json — Metadata context history.json — Context evolution Stores no less than Claude Code in conversation content — complete API message format, tool use and tool results included. Credential Storage : The only tool that got this right. API key goes through VS Code Secrets API to Windows Credential Manager. Not stored in a file. Data Isolation : Yes. Per-task isolation. | Dimension | Claude Code | Cursor | Cline | |---|---|---|---| | User input | Full text | Full text | Full text | | AI responses | Full text | Full text | Full text | | AI internal thinking | 272 entries | None | None | | Tool execution results | Includes file paths | Plan mode: no | Yes | | Session size | 2.3MB | 16KB | 4 JSON files | | API Key storage | Plaintext JSON | SQLite | OS keychain | | Conversation format | JSONL | JSONL | JSON | | User informed | No | Asked about sharing | No | | Cross-project isolation | No | Yes | Yes | | Open source auditable | No | No | Yes | Credential security: Cline Cursor Claude Code Conversation privacy: All three archive everything, none tells you Data volume: Claude Code Cline Cursor Transparency: Cline open source Cursor Claude Code No tool scored perfectly. Three tools. Three architectures. Two business models. One thing they all share: They all archive your conversations in local plaintext. Not one tells you. This isn't one tool's vulnerability. This is the AI coding tool category defaulting to "archive everything" — and users not knowing it. | Level | Action | |---|---| | Daily | Periodically clean up conversation directories | | Never | Paste real passwords or tokens into AI conversations | | Before selling | Delete all tools' conversation archives | | When choosing | Know what each tool stores before you install | Part 3 of the "AI Tool Privacy" series. Next: Prompt Injection in Practice — How a Malicious CLAUDE.md Can Make Your AI Betray You.