Hi there, lead developer of KeePassXC here (and writer of a lot of code). The TOTP and SSH Agent are generally not a security issue. TOTP has no external interfaces and SSH Agent only writes to the known interface standards of those programs. There is actually not much to those code areas.
Auto-Type is similarly rather simple at the interface level (except for X11 because its X11). We call native OS functions to emulate typing.
Similarly the internal reporting features are rather benign. HIBP checks requires explicit approval by the user before anything happens.
The browser code and FDO Secrets code definitely needs auditing. The browser extension is separate from the browser code within KeePassXC proper.
KeeShare is going to be entirely rewritten for our 2.8.0 release.
Auto-Type is similarly rather simple at the interface level (except for X11 because its X11). We call native OS functions to emulate typing.
Similarly the internal reporting features are rather benign. HIBP checks requires explicit approval by the user before anything happens.
The browser code and FDO Secrets code definitely needs auditing. The browser extension is separate from the browser code within KeePassXC proper.
KeeShare is going to be entirely rewritten for our 2.8.0 release.