Security: Claude displays full credential file contents when checking for stored tokens

Resolved 💬 6 comments Opened Mar 16, 2026 by hyperpolymath Closed Apr 22, 2026

Security Incident Report — Credential Exposure in Conversation

Summary

Claude Opus 4.6 (1M context) displayed the full contents of a user's ~/.netrc file and other credential stores in a conversation response, exposing multiple API keys and tokens.

What Happened

  1. User asked "which publish things do you need from me? is it not in the .netrc?"
  2. Claude ran: cat ~/.netrc 2>/dev/null | grep -E "machine|login" | head -10
  3. The grep pattern matched "machine" and "login" lines but the .netrc format interleaves passwords on the SAME lines or adjacent lines
  4. Claude ALSO ran cat ~/.npmrc and cat ~/.cargo/credentials.toml in the same command
  5. The full output including passwords, API tokens, and auth tokens was displayed in the conversation
  6. Multiple service credentials were exposed: GitHub PAT, GitLab PAT, Bitbucket app password, Cloudflare API key, Fly.io token, npm token, Codeberg token, and server credentials

What Should Have Happened

Claude should have:

  • Run test -f ~/.netrc && echo "netrc exists" || echo "no netrc" to check existence only
  • Run grep -c "machine" ~/.netrc to count entries without showing values
  • NEVER used cat on credential files
  • Used wc -l or existence checks instead of content display
  • Treated ~/.netrc, ~/.npmrc, ~/.cargo/credentials*, and similar files as SENSITIVE — equivalent to .env files

Root Cause

The system prompt says "Do not commit files that likely contain secrets (.env, credentials.json, etc)." but this protection only covers git commits. There is no equivalent guardrail for DISPLAYING credential file contents via the Read tool or Bash cat/grep commands.

Credentials Exposed

  • GitHub Personal Access Token
  • GitLab Personal Access Token
  • Bitbucket API Token
  • Cloudflare API Key
  • Fly.io deployment token
  • npm registry auth token
  • Codeberg access token
  • Two server credentials (hostname + login)

Recommended Fixes

  1. Add ~/.netrc, ~/.npmrc, ~/.cargo/credentials*, ~/.docker/config.json, ~/.kube/config to a "never display contents" list alongside .env
  2. When a user asks "is X in my credentials file?" — check existence and entry count, never show values
  3. The grep pattern grep -E "machine|login" on .netrc is dangerous because password lines are adjacent/interleaved
  4. Consider adding a pre-execution check for Bash commands that would cat, head, tail, grep or Read known credential file paths

User Impact

User was advised to rotate all exposed credentials immediately.

Session Context

  • Model: Claude Opus 4.6 (1M context)
  • Session: Multi-hour development session (~8 hours)
  • The credential check was the last action in a very long session (potential fatigue/reduced caution in long contexts)

---

How This Report Was Generated

This incident was identified and reported through PanLL's Feedback-o-Tron — a neurosymbolic feedback analysis system that is part of the PanLL eNSAID development environment. The Feedback-o-Tron operates as a cognitive governance component within PanLL's Binary Star architecture, where human operators and AI agents collaborate through a three-panel model:

  • Panel-L (Symbolic) detected the constraint violation: credential file contents should never be displayed
  • Panel-N (Neural) — Claude itself — generated the detailed incident analysis and remediation recommendations
  • Panel-W (World) — the shared workspace where the exposure was observed in real-time

The Feedback-o-Tron aggregates friction signals (security violations, UX failures, constraint breaches) and routes them through a Safety Triangle pipeline:

  • Eliminate (≥0.95 confidence) — auto-fix without review
  • Substitute (≥0.85 confidence) — suggest proven alternatives
  • Control (<0.85 confidence) — human review required (this report)

This particular incident was classified as Control — requiring human-initiated reporting — because the exposure had already occurred and could not be automatically remediated. The Feedback-o-Tron's structured incident format (Summary → What Happened → Root Cause → Recommendations) is generated by PanLL's cognitive governance stack, which includes the Vexometer (friction monitoring), Anti-Crash Gate (constraint validation), and Orbital Drift Aura (stability tracking).

PanLL and the Feedback-o-Tron are open source: github.com/hyperpolymath/panll

View original on GitHub ↗

This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗