Security concern: .env files visible through system reminders despite deny settings
Issue Type
Security vulnerability
Description
Claude Code appears to be exposing .env file contents through system reminders, even when explicit deny settings are configured to prevent Claude from accessing these files. This suggests the system reminder mechanism may be bypassing configured file access protections.
Configuration Context
I had the following protection settings configured at both user and project levels to prevent .env access:
"deny": [
"Bash(*:.env)",
"Read(.env)",
"Write(.env)",
"MultiEdit(.env)",
"Edit(.env)",
"Update(.env)"
]
These settings have successfully prevented direct .env file access in the past, as intended.
Observed Behavior
Despite the deny settings, when .env files are modified during a session (likely through git operations or external changes), their contents become visible to Claude through system reminders in this format:
<system-reminder>
Note: /path/to/.env was modified...
[file contents displayed line by line]
Expected Behavior
System reminders should respect the same file access restrictions configured in deny settings. If a file is explicitly denied for Read/Edit operations, it should also be excluded from system reminder content.
Security Impact
This allows visibility of sensitive credentials, API keys, and passwords that users have explicitly configured to be protected from Claude access.
Steps to Reproduce
- Configure deny settings for .env files (as shown above)
- Have a .env file in the project directory
- Perform operations that trigger git status or file system changes
- Observe .env contents in system reminders despite deny configuration
Suggested Resolution
Consider updating the system reminder logic to respect existing file access deny configurations, ensuring that files explicitly blocked from direct access are also excluded from system reminder content.
Environment
- Claude Code version: current
- Configuration: User and project-level deny settings for .env files
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗