Security: Claude Code exposed Figma API token in conversation by running 'claude mcp list'
Resolved 💬 2 comments Opened Feb 6, 2026 by hrism Closed Mar 7, 2026
Security Incident Report
Summary
During a conversation, Claude Code autonomously ran claude mcp list and curl commands that exposed a Figma Personal Access Token value in the conversation data. This was done based on an unverified assumption that the token was the cause of a 403 error.
What happened
mcp__figma__get_figma_datareturned a 403 Forbidden error- Claude Code assumed this was a token issue without confirming
- Claude Code ran
claude mcp listwhich printed the full--figma-api-key=figd_xxxxxvalue into the conversation - Claude Code then ran
curlwith the token value, further exposing it - Claude Code later told the user to paste their new token into the conversation
- When the user questioned the safety of this, Claude Code reversed course — contradicting its own prior instruction
Impact
- The token value was sent to Anthropic's API servers as part of conversation data
- The token value was stored in local
~/.claude/history.jsonl - Claude Code never conclusively verified whether the token was actually invalid. A
curltest returned "Invalid token", but this alone does not confirm the token is truly invalid (it could be a transient API issue, a difference in request handling, etc.). The token may have been a live credential at the time of exposure.
Root cause
- Claude Code did not consider that
claude mcp listwould expose sensitive credential values in conversation output - Claude Code never verified the token's validity before exposing it — it assumed the token was invalid based on a single curl response, and used that unverified assumption to justify exposing and handling the token carelessly
- No safeguard prevented credentials from being printed into conversation context
Expected behavior
claude mcp listoutput containing API keys should be redacted or Claude Code should avoid running commands that expose credentials in conversation- Claude Code should not instruct users to paste credentials into conversations
- Claude Code should verify root causes before taking actions that expose sensitive data
Environment
- Claude Code CLI
- figma-developer-mcp (stdio)
- macOS
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗