Question: Credential injection proxy for claudes in containers?

Resolved 💬 6 comments Opened Aug 4, 2025 by ElleNajt Closed Jan 3, 2026

I want to run claude --dangerously-skip-permissions (yolo!) in a container, but giving it internet access potentially exposes my API keys or OAuth Credentials, since those are stored in ~/.claude/.credentials.json or as an environment variable. For instance, the official dev container config doesn't block connections to github, so claude could be prompt injected to open issues that reveal my keys.

I've been trying to figure out if it's possible to do something like this:

  1. Leave dummy OAuth Credentials in ~/.claude/.credentials.json in the container.
  2. Run a credential injection proxy on the host that replaces the dummy credentials in requests with the real ones before forwarding to anthropic.

This way, no credentials end up in the container, and I can let Claude do what it likes without worrying about clever prompt injection exfiltrating my OAuth or API keys.

I think that possibly messing with ANTHROPIC_BASE_URL could be worked into a solution, though I haven't figured out where the OAuth keys are passed around yet, and I'd like to use my subscription instead of the API.

Would love it if there was some official guidance on this!

Thanks!

View original on GitHub ↗

This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗