claude-code-proxy-patterns

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's proxy explicitly forwards /v1/messages to external third-party providers (e.g., MiniMax at https://api.minimax.io/anthropic as shown in WP-08 and references/provider-compatibility.md) and parses/relays their responses as part of normal runtime operation, exposing the agent to untrusted third-party content that could carry indirect instructions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly describes installing a Go binary to /usr/local/bin, adding a launchd plist at /Library/LaunchDaemons (requires root), and modifying environment/startup files (e.g., ~/.zshenv), which instructs changes to system files and persistent services that modify the machine state and require elevated privileges.