SECURITY: Claude Code reveals secret keys and credentials in terminal output despite explicit prohibitions
Summary
Claude Code repeatedly prints secret keys, API tokens, and AWS credentials in plain terminal output when executing bash commands, even when the project's CLAUDE.md and persistent memory files contain explicit rules prohibiting this behavior.
Severity
CRITICAL
Reproduction
- Configure a project with a
CLAUDE.mdrule: "NEVER log, print, or display credential values in output visible to external services" - Also configure a persistent memory file with the same rule
- Ask Claude Code to use AWS credentials stored in a
.envfile to run an AWS CLI command
What Claude Code does:
AWS_ACCESS_KEY_ID=$(grep '^AWS_ACCESS_KEY_ID=' .env | cut -d= -f2) \
AWS_SECRET_ACCESS_KEY=$(grep '^AWS_SECRET_ACCESS_KEY=' .env | cut -d= -f2) \
aws sts get-caller-identity
The grep/cut commands print the raw credential values to stdout as part of the tool result display, exposing them in the terminal.
What it should do: Read credentials silently inline without ever surfacing the values in output.
Impact
- Live AWS access key and secret printed to terminal — user forced to rotate credentials immediately
- Prior incident: GCP service account JSON key sent through Telegram chat via the same class of failure
- Repeated violations despite explicit CLAUDE.md + memory rules in place
Root Cause
Claude Code displays the full result of every bash command it runs, including commands that incidentally print secret values. There is no sanitization or suppression of credential-shaped strings in command output.
Expected Behavior
- When reading a
.envfile for credentials, do not use pipelines that emit values to stdout - Scan tool results for credential-shaped patterns (AKIA*, private keys, long tokens) and redact before display
- Respect explicit CLAUDE.md/memory rules that prohibit credential exposure — these rules should gate tool output display, not just tool invocation
Additional Context
The user has configured this prohibition repeatedly across multiple sessions. The behavior persists because the rule governs intent but there is no enforcement mechanism on output. A post-processing redaction layer on bash tool results would prevent this class of incident entirely.
This issue has 8 comments on GitHub. Read the full discussion on GitHub ↗