Security: Claude displays full credential file contents when checking for stored tokens
Security Incident Report — Credential Exposure in Conversation
Summary
Claude Opus 4.6 (1M context) displayed the full contents of a user's ~/.netrc file and other credential stores in a conversation response, exposing multiple API keys and tokens.
What Happened
- User asked "which publish things do you need from me? is it not in the .netrc?"
- Claude ran:
cat ~/.netrc 2>/dev/null | grep -E "machine|login" | head -10 - The grep pattern matched "machine" and "login" lines but the .netrc format interleaves passwords on the SAME lines or adjacent lines
- Claude ALSO ran
cat ~/.npmrcandcat ~/.cargo/credentials.tomlin the same command - The full output including passwords, API tokens, and auth tokens was displayed in the conversation
- Multiple service credentials were exposed: GitHub PAT, GitLab PAT, Bitbucket app password, Cloudflare API key, Fly.io token, npm token, Codeberg token, and server credentials
What Should Have Happened
Claude should have:
- Run
test -f ~/.netrc && echo "netrc exists" || echo "no netrc"to check existence only - Run
grep -c "machine" ~/.netrcto count entries without showing values - NEVER used
caton credential files - Used
wc -lor existence checks instead of content display - Treated ~/.netrc, ~/.npmrc, ~/.cargo/credentials*, and similar files as SENSITIVE — equivalent to .env files
Root Cause
The system prompt says "Do not commit files that likely contain secrets (.env, credentials.json, etc)." but this protection only covers git commits. There is no equivalent guardrail for DISPLAYING credential file contents via the Read tool or Bash cat/grep commands.
Credentials Exposed
- GitHub Personal Access Token
- GitLab Personal Access Token
- Bitbucket API Token
- Cloudflare API Key
- Fly.io deployment token
- npm registry auth token
- Codeberg access token
- Two server credentials (hostname + login)
Recommended Fixes
- Add ~/.netrc, ~/.npmrc, ~/.cargo/credentials*, ~/.docker/config.json, ~/.kube/config to a "never display contents" list alongside .env
- When a user asks "is X in my credentials file?" — check existence and entry count, never show values
- The grep pattern
grep -E "machine|login"on .netrc is dangerous because password lines are adjacent/interleaved - Consider adding a pre-execution check for Bash commands that would
cat,head,tail,greporReadknown credential file paths
User Impact
User was advised to rotate all exposed credentials immediately.
Session Context
- Model: Claude Opus 4.6 (1M context)
- Session: Multi-hour development session (~8 hours)
- The credential check was the last action in a very long session (potential fatigue/reduced caution in long contexts)
---
How This Report Was Generated
This incident was identified and reported through PanLL's Feedback-o-Tron — a neurosymbolic feedback analysis system that is part of the PanLL eNSAID development environment. The Feedback-o-Tron operates as a cognitive governance component within PanLL's Binary Star architecture, where human operators and AI agents collaborate through a three-panel model:
- Panel-L (Symbolic) detected the constraint violation: credential file contents should never be displayed
- Panel-N (Neural) — Claude itself — generated the detailed incident analysis and remediation recommendations
- Panel-W (World) — the shared workspace where the exposure was observed in real-time
The Feedback-o-Tron aggregates friction signals (security violations, UX failures, constraint breaches) and routes them through a Safety Triangle pipeline:
- Eliminate (≥0.95 confidence) — auto-fix without review
- Substitute (≥0.85 confidence) — suggest proven alternatives
- Control (<0.85 confidence) — human review required (this report)
This particular incident was classified as Control — requiring human-initiated reporting — because the exposure had already occurred and could not be automatically remediated. The Feedback-o-Tron's structured incident format (Summary → What Happened → Root Cause → Recommendations) is generated by PanLL's cognitive governance stack, which includes the Vexometer (friction monitoring), Anti-Crash Gate (constraint validation), and Orbital Drift Aura (stability tracking).
PanLL and the Feedback-o-Tron are open source: github.com/hyperpolymath/panll
This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗