It used to be that people didn't read the article, now they don't even read the headline.

OneCLI assumes that the proxy is fully trusted by the agent and it still has authorized access to your accounts.

What happens when the agent environment is breached? All you need is the fake key + URL of the proxy and that maps to your real keys and you can make authorized requests outside of the agent.

The real keys don't have to be leaked, just the fake ones have to map to the real one; so unless they are rotated, then this is a problem.