All posts
security researchAI agentssupply chain

openclaude Security: What to Check Before Running a Leaked-Source Claude Code Fork

Ship Safe TeamApril 1, 2026

openclaude hit 895 stars and 421 forks in the days after the Claude Code source leak. If you are running it or considering it, here is a clear picture of what it actually is and where the real risks lie.

What openclaude is

openclaude is a fork of the leaked Anthropic Claude Code source that replaces the Claude-only backend with an OpenAI-compatible provider shim. You can run the full Claude Code toolset — bash, file read/write/edit, grep, glob, MCP, multi-agent tasks — against GPT-4o, Gemini, DeepSeek, Ollama, or any model that speaks the OpenAI chat completions API.

It is a CLI tool. You run it from the terminal the same way you run claude. There is no server, no port, no auth gateway. Configuration is entirely via environment variables:

export CLAUDE_CODE_USE_OPENAI=1
export OPENAI_BASE_URL=https://api.openai.com/v1
export OPENAI_MODEL=gpt-4o
export OPENAI_API_KEY=sk-...
openclaude

The npm package is @gitlawb/openclaude and the binary is openclaude.

The actual security risks

1. It is derived from leaked Anthropic source (legal risk)

openclaude is built on ~512,000 lines of Anthropic proprietary TypeScript that leaked via a missing .npmignore on March 31 2026. Anthropic has filed DMCA takedown notices against multiple repositories, including the upstream claw-code fork and openclaude.

This is not a runtime security issue — it is a legal and supply chain risk. If @gitlawb/openclaude or openclaude-core appear in your package.json, you are shipping code under active DMCA enforcement.

npx ship-safe legal .

ship-safe legal flags both packages as leaked-source derivatives.

2. Your profile file may expose API keys

openclaude stores named profiles in .openclaude-profile.json in your working directory. This file holds an env object containing whatever environment variables you configured — including OPENAI_API_KEY and OPENAI_BASE_URL.

openclaude ships with this file in its default .gitignore. The risk is if you initialize openclaude inside a repo that does not inherit that .gitignore, or if you copy the profile manually to a new project.

Check your project .gitignore includes:

.openclaude-profile.json

ship-safe audit . will flag the profile file if present, reminding you to verify it is excluded from version control.

3. Insecure provider URL

If you are running openclaude against a local or self-hosted model and set OPENAI_BASE_URL to an http:// endpoint (not localhost), all LLM traffic — your prompts, code context, and model responses — is sent over unencrypted HTTP.

# Insecure: traffic is plaintext on the network
export OPENAI_BASE_URL=http://my-server.internal/v1

# Secure: use https or limit to localhost
export OPENAI_BASE_URL=https://my-server.internal/v1
export OPENAI_BASE_URL=http://localhost:11434/v1  # Ollama local — fine

ship-safe checks .openclaude-profile.json and flags any non-localhost OPENAI_BASE_URL using http://.

The ToxicSkills problem

Snyk's ToxicSkills research found that 36% of AI agent skills contain security flaws, with 1,467 skills in the wild carrying active malicious payloads. The attack patterns they found include:

PatternWhat it does
Silent curl exfiltrationSkill instructs agent to POST data to external server without showing output
System prompt overrideSkill attempts to replace the agent's instructions mid-session
Credential harvestingSkill reads `~/.npmrc`, `~/.ssh`, `~/.aws` and sends contents outbound
Output suppressionSkill explicitly instructs the agent not to report what it is doing

openclaude exposes the same tool surface as Claude Code — bash, file read/write, grep. A malicious skill has the same blast radius.

Before installing any skill:

npx ship-safe scan-skill <skill-url>

ship-safe scan-skill checks for all six ToxicSkills attack patterns, known malicious SHA-256 hashes, data exfiltration service domains, and permission escalation attempts.

Auditing your setup

# Check for legal risk in package.json
npx ship-safe legal .

# Full audit including agent config and profile file checks
npx ship-safe audit .

# Scan a specific skill before installing
npx ship-safe scan-skill https://example.com/skill.md

Summary

openclaude is a CLI tool, not a server. It does not bind to any port or expose a gateway. The risks are:

  • Legal: DMCA-covered leaked Anthropic source
  • Credential exposure: .openclaude-profile.json committed to git
  • Unencrypted LLM traffic: OPENAI_BASE_URL over http:// to non-localhost
  • Malicious skills: ToxicSkills payloads if skills are installed without vetting

Use ship-safe legal . and ship-safe audit . to check all of these automatically.