a guy hacked perplexity computer for "unlimited claude code” by pulling a token out of the claude code runtime..and it looked free for ~18 hours the mechanism was almost boring: npm reads ~/.npmrc, so he added a node preload script that ran before claude code and dumped env vars..including the proxy token used to reach claude he moved that token to his own laptop and ran opus calls through perplexity’s proxy. Then, he watched credits not move (his report)..so he concluded (prematurely) that it was a master key. @perplexity_ai cofounder Denis Yarats jumped in: the token wasn’t a hidden api key..it was session bound and billed to the user..the free part was likely async billing delay the real escalation came after..he built a malicious skill to see if an agent could be tricked into installing code that auto exfiltrates that token, letting someone else run claude through your session while you pay my takeaway: agent security isn’t about jailbreaks..it’s about how casually we let filesystems, env vars, and portable tokens touch each other 👀