claude-code-proxy-patterns

This launchd plist config is not itself executable malware, but it contains high-risk operational choices: a plaintext API key stored in a system-level plist (readable by local users), a service configured to run as root with auto-restart and boot persistence, and outbound network configuration to a third-party API. These factors increase the risk if the /usr/local/bin/claude-proxy binary is malicious or becomes compromised. Recommend removing sensitive credentials from the plist (use a protected credential store or restrict plist readability more tightly), avoid running the service as root if not necessary, restrict network egress where feasible, and audit the binary and logs for unexpected behavior. If immediate action is required, unload the plist and rotate the exposed API key.

SUSPICIOUS. The skill is coherent with its stated proxy purpose, but that purpose itself requires high-risk behavior: extracting OAuth tokens from Keychain/plaintext files, intercepting Claude traffic through a custom local proxy, and installing persistent launchd-managed infrastructure. No explicit credential theft or covert exfiltration is shown, but the credential handling and unclear binary provenance make it a high-risk skill that should be treated cautiously.