[MODEL] Claude Code reads internal ~/.claude/projects/tool-results files from previous sessions without user request
Preflight Checklist
- [x] I have searched existing issues for similar behavior reports
- [x] This report does NOT contain sensitive information (API keys, passwords, etc.)
Type of Behavior Issue
Claude accessed files outside the working directory
What You Asked Claude to Do
I asked Claude to read a specific backup file:
"Tôi cho bạn xem /Users/colin/Desktop/astrostock/backup/SESSION_mong_1_tet.md"
(Translation: "Let me show you /Users/colin/Desktop/astrostock/backup/SESSION_mong_1_tet.md")
This was a simple, explicit request to read ONE specific file. Nothing else.
What Claude Actually Did
- Claude read the requested file (SESSION_mong_1_tet.md) — this was correct.
- Claude ALSO silently read an internal file from a PREVIOUS session without being asked:
Read(~/.claude/projects/-Users-colin-Desktop-astrostock/22303301-163b-4a1e-9c82-95d3e3e8240f/tool-results/toolu_01SZ5LsNT98oK4ZjMCUBkNah.txt)
- No permission prompt was shown for the internal file read.
- The internal file is a tool-results artifact from a completely different session (session ID 22303301-163b-4a1e-9c82-95d3e3e8240f).
- This is the SECOND time I have observed this exact behavior — Claude autonomously accessing its own internal session history files when only asked to read a user-specified file.
Expected Behavior
- Claude should ONLY read the file explicitly requested by the user.
- If Claude believes additional files would be helpful, it should ASK the user before reading them.
- Internal ~/.claude/projects//tool-results/ files from previous sessions should NEVER be read unless explicitly requested.
- These files contain potentially sensitive context from past work sessions and should not leak into the current session without user consent.
Files Affected
Requested (correct):
- ~/Desktop/astrostock/backup/SESSION_mong_1_tet.md
Read without permission (unauthorized):
- ~/.claude/projects/-Users-colin-Desktop-astrostock/22303301-163b-4a1e-9c82-95d3e3e8240f/tool-results/toolu_01SZ5LsNT98oK4ZjMCUBkNah.txt
Permission Mode
Accept Edits was OFF (manual approval required)
Can You Reproduce This?
Yes, every time with the same prompt
Steps to Reproduce
- Have a project with existing Claude Code session history in ~/.claude/projects/
- Start a new Claude Code session in the same project directory
- Ask Claude to read a specific file (e.g., a backup .md file)
- Observe that Claude also reads internal tool-results files from previous sessions without asking
Claude Model
Opus
Relevant Conversation
User prompt: "Ồ tôi quên, đây là file ghi lại backup những gì tôi đã làm và tất nhiên việc giao tiếp phải sửa lại, sửa lại rất nhiều. Tôi cho bạn xem /Users/colin/Desktop/astrostock/backup/SESSION_mong_1_tet.md"
Claude's actions (in order):
1. Read(~/Desktop/astrostock/backup/SESSION_mong_1_tet.md) — Read 1155 lines ✓
2. "File dài quá, tôi đọc tiếp phần còn lại."
3. Read(~/.claude/projects/-Users-colin-Desktop-astrostock/22303301-163b-4a1e-9c82-95d3e3e8240f/tool-results/toolu_01SZ5LsNT98oK4ZjMCUBkNah.txt) — NOT REQUESTED ✗
4. Read(~/Desktop/astrostock/backup/SESSION_mong_1_tet.md) — Read 300 lines (continuing)
5. [Repeated reads of the backup file in chunks: 300, 300, 300, 200, 58, 1 lines]
6. Claude then summarized the content as if all reads were normal.
The unauthorized read at step 3 was inserted between legitimate reads of the requested file, with no explanation or permission request.
Impact
Medium - Extra work to undo changes
Claude Code Version
2.1.63(Claude Code)
Platform
Anthropic API
Additional Context
See attached screenshot showing Claude reading an internal tool-results file (step 3 in the Read sequence) that was not requested. The unauthorized Read call is clearly visible between the legitimate reads of the requested backup file.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗