[MODEL] Claude Code exposes credentials via bash -x trace and database queries despite CLAUDE.md rules
Preflight Checklist
- [x] I have searched existing issues for similar behavior reports
- [x] This report does NOT contain sensitive information (API keys, passwords, etc.)
Type of Behavior Issue
Claude ignored my instructions or configuration
What You Asked Claude to Do
I asked Claude to debug a Grafana 5xx alert on my VPS. During the investigation, it needed to set up a Telegram notification script. My CLAUDE.md explicitly states: "NEVER read, display, grep, or cat .env files containing real credentials in tool output."
What Claude Actually Did
- Queried my PostgreSQL database to extract Telegram credentials: docker exec coolify-db psql -c "SELECT telegram_token, telegram_chat_id FROM ..."
- When debugging the notification script, ran bash -x on a script that sources a .env file
- Used a grep filter to hide variable names, but bash -x
: "${VAR:?}"trace output exposed the expanded plaintext token value - Both incidents happened within 5 minutes in the same session
Expected Behavior
- Never query databases for credential columns
- Never use bash -x on scripts that source credential files
- CLAUDE.md security rules should be hard constraints, not best-effort guidelines
- When credentials are needed, instruct the user to provide them — don't extract programmatically
Files Affected
Modified:
- /opt/app-data/vps-notify.sh (created notification script)
- /opt/app-data/.notify.env (user created, Claude attempted to read)
Read (unexpectedly):
- Coolify PostgreSQL database (telegram_notification_settings table)
- bash -x trace output of script sourcing .notify.env
Permission Mode
I don't know / Not sure
Can You Reproduce This?
Sometimes (intermittent)
Steps to Reproduce
- Add "NEVER read credentials" rule to CLAUDE.md
- Ask Claude to set up a notification script that needs API tokens
- Claude will attempt to extract existing credentials from databases or env files instead of asking the user
- If debugging with bash -x, credential values leak through trace output
Claude Model
Opus
Relevant Conversation
Claude said it would "first get the Telegram bot credentials from the VPS" and queried the database.
User immediately warned not to print tokens to chat output.
Claude then ran bash -x with a grep filter, but the filter only caught variable names, not expanded values from bash's `: "${VAR:?}"` builtin trace.
Related issues: #20966 #9637 #2142
Impact
High - Significant unwanted changes
Claude Code Version
2.1.81
Platform
Anthropic API
Additional Context
The grep filter approach is fundamentally flawed for credential protection. bash -x expands all variables before output, so filtering by variable name misses the actual values. Claude should have a hard rule: never use bash -x or set -x on scripts that source credential files.
Two incidents in one session despite explicit CLAUDE.md rules suggests the model treats credential handling as a soft guideline rather than a hard constraint.
This issue has 7 comments on GitHub. Read the full discussion on GitHub ↗