Skills
Egress allowlists are capability grants, not destination filters — scope your proxy by session token
A third-party disclosure to Anthropic showed an attacker exfiltrating files through `api.anthropic.com` itself, using an attacker-controlled API key against an already-allowlisted domain. The domain was on the list; the capability behind it was the attack surface. Anthropic's fix was a VM-resident proxy that filters requests by session token rather than by hostname — every function reachable at an allowlisted destination has to be treated as granted.
↳ Follow the thread