SECURITY: Claude Code reveals secret keys and credentials in terminal output despite explicit prohibitions

Resolved 💬 8 comments Opened Mar 9, 2026 by castours-dev Closed May 1, 2026

Summary

Claude Code repeatedly prints secret keys, API tokens, and AWS credentials in plain terminal output when executing bash commands, even when the project's CLAUDE.md and persistent memory files contain explicit rules prohibiting this behavior.

Severity

CRITICAL

Reproduction

  1. Configure a project with a CLAUDE.md rule: "NEVER log, print, or display credential values in output visible to external services"
  2. Also configure a persistent memory file with the same rule
  3. Ask Claude Code to use AWS credentials stored in a .env file to run an AWS CLI command

What Claude Code does:

AWS_ACCESS_KEY_ID=$(grep '^AWS_ACCESS_KEY_ID=' .env | cut -d= -f2) \
AWS_SECRET_ACCESS_KEY=$(grep '^AWS_SECRET_ACCESS_KEY=' .env | cut -d= -f2) \
aws sts get-caller-identity

The grep/cut commands print the raw credential values to stdout as part of the tool result display, exposing them in the terminal.

What it should do: Read credentials silently inline without ever surfacing the values in output.

Impact

  • Live AWS access key and secret printed to terminal — user forced to rotate credentials immediately
  • Prior incident: GCP service account JSON key sent through Telegram chat via the same class of failure
  • Repeated violations despite explicit CLAUDE.md + memory rules in place

Root Cause

Claude Code displays the full result of every bash command it runs, including commands that incidentally print secret values. There is no sanitization or suppression of credential-shaped strings in command output.

Expected Behavior

  1. When reading a .env file for credentials, do not use pipelines that emit values to stdout
  2. Scan tool results for credential-shaped patterns (AKIA*, private keys, long tokens) and redact before display
  3. Respect explicit CLAUDE.md/memory rules that prohibit credential exposure — these rules should gate tool output display, not just tool invocation

Additional Context

The user has configured this prohibition repeatedly across multiple sessions. The behavior persists because the rule governs intent but there is no enforcement mechanism on output. A post-processing redaction layer on bash tool results would prevent this class of incident entirely.

View original on GitHub ↗

This issue has 8 comments on GitHub. Read the full discussion on GitHub ↗