claude-code-proxy-patterns

The skill describes a sophisticated, macOS-centric multi-provider proxy that reads OAuth tokens from Keychain, mutates headers for OAuth passthrough, and routes Claude Code requests between MiniMax and Anthropic-compatible backends. While coherent with its stated purpose, the credential handling and multi-path auth architecture introduce meaningful security risks, including potential exposure of tokens through logs, in-memory caching, and misrouting if configuration drifts. The sentinel mechanism (proxy-managed) helps mitigate real-key leakage but adds complexity that increases the chance of misconfiguration. Overall, the design is high-risk from a credential-management and supply-chain security perspective, though not inherently malicious. Recommend tightening secret handling, reducing in-memory token exposure, adding explicit logging safeguards, and formalizing a single source of truth for credentials with strict access controls.

This launchd plist config is not itself executable malware, but it contains high-risk operational choices: a plaintext API key stored in a system-level plist (readable by local users), a service configured to run as root with auto-restart and boot persistence, and outbound network configuration to a third-party API. These factors increase the risk if the /usr/local/bin/claude-proxy binary is malicious or becomes compromised. Recommend removing sensitive credentials from the plist (use a protected credential store or restrict plist readability more tightly), avoid running the service as root if not necessary, restrict network egress where feasible, and audit the binary and logs for unexpected behavior. If immediate action is required, unload the plist and rotate the exposed API key.