alt Hacker NewsA bit unrelated, but if you ever find a malicious use of Anthropic APIs like that, you can just upload the key to a GitHub Gist or a public repo - Anthropic is a GitHub scanning partner, so the key will be revoked almost instantly (you can delete the gist afterwards).
It works for a lot of other providers too, including OpenAI (which also has file APIs, by the way).
https://support.claude.com/en/articles/9767949-api-key-best-...
https://docs.github.com/en/code-security/reference/secret-se...
Replies
Haha this feels like you're playing chess with the hackers
why would you do that rather than just revoking the key directly in the anthropic console?
So that after the attackers exfiltrate your file to their Anthropic account, now the rest of the world also has access to that Anthropic account and thus your files? Nice plan.
Pretty brilliant solution, never thought of that before.
Could this not lead to a penalty on the github account used to post it?
I wouldn’t recommend this. What if GitHub’s token scanning service went down. Ideally GitHub should expose an universal token revocation endpoint. Alternatively do this in a private repo and enable token revocation (if it exists)