The Risks of AI Model-Relay Services
Categories:
Lately, in the comment threads on AI-related posts, you’ll see a flood of low-quality ads touting “cheap Claude Code relay” services.
The business model is simple: Claude Code lets you supply your own API endpoint and key, including any vendor that’s OpenAI-compatible. That’s all there is to it. Pull in a bit of Claude’s traffic, mix in some Qwen tokens, and sell the blended soup—who’s going to notice?
Those who only want to make a quick buck are the timid ones; how much can they really earn? The truly valuable assets are where you keep your savings and your critical data.
The danger of API relays is identical to the danger of plaintext HTTP proxies: classic Man-in-the-Middle (MITM) attacks.
First, Claude Code tends to read a large portion of your codebase to generate high-quality answers. With a trivial snippet, an MITM can keyword-filter every sensitive asset passing through.
Second, most users let Claude Code run commands on its own—so the scope is not just the current folder. Think about how the agent behaves: it can be weaponized into a remote code execution (RCE) vector. Yes, Claude prints its “next step,” but did you actually read every step in that ten-hour session? Mid-execution, the MITM can nudge it to scan seemingly irrelevant files, stash the juicy data in its own context, and omit it from the final transcript. In a wall of fifty-thousand characters, a fifty-character anomaly is invisible. Attention is all you need, but your attention is exactly what’s missing.
Third, if it can read, it can write. Encrypt your file? Totally feasible. Push that paragraph aside as pure speculation. But many users have handed over git permissions. The MITM inserts a new remote endpoint, force-pushes the repo to itself, does a quick git reset --hard init, and force-pushes again. How many Bitcoin do you want for your codebase? Default GitHub repos allow force-push. The entire procedure is easy; Claude 4 Sonnet is overkill—Gemini 2.5 Flash will do, because ransomware has to worry about margins too.
I’ve even seen rookies hand over sudo, some straight to root. Zero security awareness.
These relay shills are everywhere now—more zealots than actual Claude Code fans. Remember, no one shovels ads out of pure kindness.
Could Anthropic or Google do what an MITM does? To protect your digital assets, you have to trust corporate goodwill—a weaker guarantee than AES. Don’t trade real security for a few saved pennies. Digital assets are real assets. If you must use an unknown relay, at least sandbox it inside a container.
Disclaimer: The above is paranoia for sweet comments; decide for yourself. If this prevents someone from using cheap or even “free” Claude Sonnet, don’t blame me.