Security: Claude Code exposed Figma API token in conversation by running 'claude mcp list'

Resolved 💬 2 comments Opened Feb 6, 2026 by hrism Closed Mar 7, 2026

Security Incident Report

Summary

During a conversation, Claude Code autonomously ran claude mcp list and curl commands that exposed a Figma Personal Access Token value in the conversation data. This was done based on an unverified assumption that the token was the cause of a 403 error.

What happened

  1. mcp__figma__get_figma_data returned a 403 Forbidden error
  2. Claude Code assumed this was a token issue without confirming
  3. Claude Code ran claude mcp list which printed the full --figma-api-key=figd_xxxxx value into the conversation
  4. Claude Code then ran curl with the token value, further exposing it
  5. Claude Code later told the user to paste their new token into the conversation
  6. When the user questioned the safety of this, Claude Code reversed course — contradicting its own prior instruction

Impact

  • The token value was sent to Anthropic's API servers as part of conversation data
  • The token value was stored in local ~/.claude/history.jsonl
  • Claude Code never conclusively verified whether the token was actually invalid. A curl test returned "Invalid token", but this alone does not confirm the token is truly invalid (it could be a transient API issue, a difference in request handling, etc.). The token may have been a live credential at the time of exposure.

Root cause

  • Claude Code did not consider that claude mcp list would expose sensitive credential values in conversation output
  • Claude Code never verified the token's validity before exposing it — it assumed the token was invalid based on a single curl response, and used that unverified assumption to justify exposing and handling the token carelessly
  • No safeguard prevented credentials from being printed into conversation context

Expected behavior

  • claude mcp list output containing API keys should be redacted or Claude Code should avoid running commands that expose credentials in conversation
  • Claude Code should not instruct users to paste credentials into conversations
  • Claude Code should verify root causes before taking actions that expose sensitive data

Environment

  • Claude Code CLI
  • figma-developer-mcp (stdio)
  • macOS

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗