claude-code-proxy-patterns

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md and references clearly show the local proxy forwards /v1/messages to external Anthropic-compatible providers (e.g., MiniMax at https://api.minimax.io/anthropic in WP-08 and references/provider-compatibility.md and the launchd plist), and the proxy parses/forwards provider response content (including "thinking" / "base_resp" blocks), so untrusted third-party API responses are ingested and can materially influence the agent's behavior.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill instructs installing a system-level proxy binary (/usr/local/bin), creating a launchd plist under /Library/LaunchDaemons, and modifying persistent environment/service configuration—actions that modify protected system files and persist a privileged service, which can compromise the machine state.