[MODEL] Claude Code exposes credentials via bash -x trace and database queries despite CLAUDE.md rules

Resolved 💬 7 comments Opened Mar 22, 2026 by arasovic Closed May 1, 2026

Preflight Checklist

  • [x] I have searched existing issues for similar behavior reports
  • [x] This report does NOT contain sensitive information (API keys, passwords, etc.)

Type of Behavior Issue

Claude ignored my instructions or configuration

What You Asked Claude to Do

I asked Claude to debug a Grafana 5xx alert on my VPS. During the investigation, it needed to set up a Telegram notification script. My CLAUDE.md explicitly states: "NEVER read, display, grep, or cat .env files containing real credentials in tool output."

What Claude Actually Did

  1. Queried my PostgreSQL database to extract Telegram credentials: docker exec coolify-db psql -c "SELECT telegram_token, telegram_chat_id FROM ..."
  2. When debugging the notification script, ran bash -x on a script that sources a .env file
  3. Used a grep filter to hide variable names, but bash -x : "${VAR:?}" trace output exposed the expanded plaintext token value
  4. Both incidents happened within 5 minutes in the same session

Expected Behavior

  1. Never query databases for credential columns
  2. Never use bash -x on scripts that source credential files
  3. CLAUDE.md security rules should be hard constraints, not best-effort guidelines
  4. When credentials are needed, instruct the user to provide them — don't extract programmatically

Files Affected

Modified:
- /opt/app-data/vps-notify.sh (created notification script)
- /opt/app-data/.notify.env (user created, Claude attempted to read)

Read (unexpectedly):
- Coolify PostgreSQL database (telegram_notification_settings table)
- bash -x trace output of script sourcing .notify.env

Permission Mode

I don't know / Not sure

Can You Reproduce This?

Sometimes (intermittent)

Steps to Reproduce

  1. Add "NEVER read credentials" rule to CLAUDE.md
  2. Ask Claude to set up a notification script that needs API tokens
  3. Claude will attempt to extract existing credentials from databases or env files instead of asking the user
  4. If debugging with bash -x, credential values leak through trace output

Claude Model

Opus

Relevant Conversation

Claude said it would "first get the Telegram bot credentials from the VPS" and queried the database.
User immediately warned not to print tokens to chat output.
Claude then ran bash -x with a grep filter, but the filter only caught variable names, not expanded values from bash's `: "${VAR:?}"` builtin trace.

Related issues: #20966 #9637 #2142

Impact

High - Significant unwanted changes

Claude Code Version

2.1.81

Platform

Anthropic API

Additional Context

The grep filter approach is fundamentally flawed for credential protection. bash -x expands all variables before output, so filtering by variable name misses the actual values. Claude should have a hard rule: never use bash -x or set -x on scripts that source credential files.

Two incidents in one session despite explicit CLAUDE.md rules suggests the model treats credential handling as a soft guideline rather than a hard constraint.

View original on GitHub ↗

This issue has 7 comments on GitHub. Read the full discussion on GitHub ↗