claude-code-proxy-patterns

This launchd plist config is not itself executable malware, but it contains high-risk operational choices: a plaintext API key stored in a system-level plist (readable by local users), a service configured to run as root with auto-restart and boot persistence, and outbound network configuration to a third-party API. These factors increase the risk if the /usr/local/bin/claude-proxy binary is malicious or becomes compromised. Recommend removing sensitive credentials from the plist (use a protected credential store or restrict plist readability more tightly), avoid running the service as root if not necessary, restrict network egress where feasible, and audit the binary and logs for unexpected behavior. If immediate action is required, unload the plist and rotate the exposed API key.

SUSPICIOUS. The skill is internally consistent with its stated proxy purpose, but its actual footprint is high-risk: it teaches reading raw Claude Code OAuth tokens, persists a local intercepting proxy with launchd, and reroutes authenticated traffic and user prompts to a third-party provider. This looks more like powerful proxy-operating documentation than malware, yet the credential handling and non-official data path make it a significant security risk.