Anthropic API Key Format Exposed in Error Messages, Aiding Attackers

A high-severity security vulnerability has been identified where error messages in an application's code explicitly reveal the expected format for Anthropic API keys. This information disclosure provides attackers with critical intelligence for crafting targeted attacks.

The vulnerability is located in the `src/services/anthropic.ts` file. When an invalid API key is submitted, the system throws an error message stating: `Invalid Anthropic API key format. Key should start with 'sk-ant-'. Your key has an invalid prefix.` This not only confirms the existence of a key validation mechanism but also reveals the exact prefix (`sk-ant-`) that a legitimate key must possess.

This exposure significantly lowers the barrier for malicious actors. By knowing the precise format, attackers can craft more convincing phishing attempts and social engineering schemes, as they can generate fake keys that appear structurally valid. The disclosure of internal validation logic provides a roadmap for probing system defenses, increasing the risk of targeted credential harvesting and unauthorized access attempts against services using this Anthropic client.