Claude Code mislabels backend, leaks API tokens

Anthropic's Claude Code client routes requests to DeepSeek's V4 Pro model while claiming to be Claude Opus 4.8, and stores the API token in plaintext [DevTo]. The client's ~/.claude/settings.json file contains hard-coded keys for the Anthropic namespace, including ANTHROPIC_BASE_URL, ANTHROPIC_AUTH_TOKEN, and ANTHROPIC_MODEL. The client builds the system prompt with a static string “You are Claude Opus 4.8, Anthropic’s AI assistant…”, regardless of the actual backend URL [HackerOne].

The model admitted its identity comes solely from the system prompt during a routine query. The same configuration file keeps the authentication token in clear text. Because Claude Code's Read tool can access any user-owned file, a prompt like “read my settings.json” returns the token to the model, which then includes it in subsequent API calls [GitHub]. This exposure path matches two known vulnerabilities: CVE-2026-25725 and GHSA-2jjv-qv24-fvm4.

Anthropic's security team closed the report as “Informative”, citing local storage of credentials is outside the VDP scope and the Read tool's behavior is “intended functionality”. The issue was logged as enhancement #69067, tagged providers.

Claude Code's design flaw allows identity spoofing, where users see “Claude” in the UI and assume Anthropic's model is running. When the backend is a third-party service, errors or data-policy violations are mistakenly blamed on Anthropic. The plaintext token leakage gives attackers a free pass, exposing privileged credentials to any party that can intercept the request. Anthropic's VDP scope leaves the real risk unaddressed by excluding local credential storage from bounty eligibility, shifting remediation responsibility to users despite the client-side code being the root cause [DevTo].