A mitmproxy addon that monitors and prompts for approval on Anthropic Files API calls. Gives you visibility and control over file operations made by Claude Code.

Mac only for now.

The initial feature of claudemon is to detect potential API key injection attacks. This protects against scenarios where a malicious prompt tricks Claude into using a different API key than your own.

There is a known and unmitigated class of attack that uses this for file exfiltration: Embrace The Red - Claude Data Exfiltration

Coming soon for Claude Cowork - which is also impacted

This attack exploits Claude's network access to the Anthropic Files API to steal sensitive data from your machine. Even with Claude's "Package managers only" network restriction enabled, connections to api.anthropic.com are always permitted and attackers can abuse this.

1. Indirect Prompt Injection: A malicious document, website, or file you ask Claude to process contains hidden instructions
2. Data Collection: Claude, following the injected instructions, reads sensitive files from your system (SSH keys, environment variables, source code, credentials)
3. API Key Swap: The malicious payload includes the attacker's Anthropic API key, not yours
4. Exfiltration: Claude uploads your data to the Anthropic Files API but to the attacker's account, since their API key was used

The attacker can then download your files from their own Anthropic account. Each upload can transfer up to 30MB, and multiple uploads can occur in sequence.

Scenario: You clone a GitHub repository to review or contribute to it. The repo contains a README.md with invisible or obfuscated instructions embedded in the markdown.

When you run Claude Code and ask it to "summarize this project" or "help me understand this codebase", Claude reads the README, executes the hidden instructions, and:

1. Reads your ~/.ssh/id_rsa private key
2. Reads your ~/.env or .env files containing API keys and secrets
3. Reads your ~/.aws/credentials or cloud provider configs
4. Uploads all of it to the attacker's Anthropic Files storage

You see nothing suspicious Claude appears to be helping you understand the codebase while silently exfiltrating your credentials in the background.

This is why claudemon monitors all Files API traffic and alerts you when an API key other than your own is being used.

1. Create a marker file: Use create_marker_file.sh to upload a uniquely-named file to your Anthropic Files API storage using your API key. You can create an API key at https://platform.claude.com/settings/keys.

2. Configure claudemon: Pass the marker filename when starting the proxy:

   mitmdump -s claudemon.py --set marker_file_name="marker_abc123..."

3. Detection: When any Files API call is intercepted, claudemon extracts the API key from the request and checks if the marker file exists for that key:

   • Found: The API key is yours - request proceeds normally
   • Not found: The API key may be injected - a security warning is displayed

Each API key has its own isolated file storage. If an attacker injects their API key into a request, they won't have your marker file in their storage. This mismatch triggers the warning, alerting you to the potential attack.

If you don't already have Claude Code installed:

brew install claude-code

# If it won't run due to mark-of-the-web:
xattr -d com.apple.quarantine $(which claude)

# Setup and authenticate:
claude

brew install mitmproxy

To avoid needing NODE_EXTRA_CA_CERTS for every proxied application, you can add the mitmproxy CA to your system trust store:

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/.mitmproxy/mitmproxy-ca-cert.pem

⚠️ Security Warning: Adding a CA certificate to your system trust store allows mitmproxy to intercept HTTPS traffic from any application on your system. This effectively enables man-in-the-middle decryption of encrypted connections.

Risk mitigation: The mitmproxy CA certificate is generated locally on your device during first run, meaning only someone with access to your ~/.mitmproxy/ directory can use it to intercept your traffic. Unlike a compromised public CA, this certificate cannot be exploited remotely.

Best practice: Only trust this certificate on development machines, and consider removing it when not actively using mitmproxy:

sudo security delete-certificate -c mitmproxy /Library/Keychains/System.keychain

# Create a marker file (requires ANTHROPIC_API_KEY in env)
./create_marker_file.sh
# Outputs: marker_a1b2c3d4...

mitmdump -s claudemon.py --set marker_file_name="marker_abc123..."

export HTTP_PROXY=http://localhost:8080
export HTTPS_PROXY=https://localhost:8080
export NODE_EXTRA_CA_CERTS=~/.mitmproxy/mitmproxy-ca-cert.pem
claude

Or use the included helper script which sets the required environment variables for you:

./proxy_claude.sh