Claude Code logs partial keystrokes and stores plaintext emails in ~/.claude.json

Resolved 💬 14 comments Opened Jun 29, 2025 by mBZfeOYVzwwl Closed Jan 21, 2026

Claude Code is actively capturing and storing highly sensitive user input, including partial and unsent keystrokes, alongside plaintext OAuth account metadata (email, user IDs, organization IDs), all within its ~/.claude.json file. This behavior has been specifically verified on Windows Subsystem for Linux (WSL) environments.

The ~/.claude.json file grows indefinitely, creating an unencrypted, detailed log of user interactions and sensitive information. The OAuth metadata storage is particularly egregious as it's completely unnecessary after initial authentication - the app remains logged in even when this data is removed, meaning user emails are being stored alongside partial keystrokes for no functional reason.

For a full technical breakdown, and a temporary mitigation script, please see my claude-privacy-cleaner repository.

View original on GitHub ↗

This issue has 14 comments on GitHub. Read the full discussion on GitHub ↗