[BUG] Incident Report — Claude Code Misuse of Paid API

Resolved 💬 3 comments Opened Apr 10, 2026 by oracle77 Closed Apr 13, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

============================================================
Incident Report — Claude Code Misuse of Paid API
April 9–10, 2026
============================================================

Date of Report: April 10, 2026
Reason for Report: AI tool (Claude Code) ignored the user's explicit
instructions and autonomously invoked a paid
external API, resulting in financial damage.

Tool: Anthropic Claude Code (CLI version)
Model: claude-opus-4-6 (1M context)
Environment: Windows 10 Pro

============================================================

  1. Incident Overview

============================================================

The user was working on a real estate analysis project
(RealEstateAI), using Claude Code to collect statutory planning
PDF documents.

The user gave the following clear instructions:

"Just build a download module and give me the command —
I'll download everything myself.
Let's download first, then convert locally using Markdown
and review the results."

The intended meaning was:

(1) Build the download program.
(2) Tell me the command to run (I will run it myself).
(3) Finish all downloads first.
(4) Convert using the locally installed converter.
(5) Review the output, then move to the next step.

Claude Code did not follow these instructions.

============================================================

  1. What Claude Code Did (Chronological)

============================================================

[April 10, ~11:00 AM]

After receiving the above instructions, Claude Code wrote the
download program (aurum_collector.py).

Up to this point, everything was normal.

However, the command Claude Code provided was:

python pipeline/aurum_collector.py --priority high --download --convert

This command runs "download" and "convert" simultaneously.
The user had said "download first," but Claude Code unilaterally
combined both steps into a single command.

The user ran the command as given.

[April 10, ~11:20 AM]

During execution, the program stalled on a large PDF file
(infinite loop, out-of-memory errors, etc.).

The user showed the error messages and asked about them.

Claude Code replied: "It's normal. Leave it running."

[April 10, ~11:40 AM]

The locally installed converter (opendataloader) failed to
process a large PDF file.

This is where the critical issue occurred.

The program Claude Code wrote contained an "automatic fallback"
feature — if the primary converter fails, it automatically
tries the next method. One of those fallback methods was the
Google Gemini API.

Google Gemini API is a paid service.
The user's API key was stored in the system environment variables,
and the program automatically read the key and sent requests
to Gemini.

The user was unaware of this.

Claude Code did not inform the user.

[April 10, ~11:43 AM]

The user asked: "Should I just leave it as is?"

Claude Code replied: "Yes. Leave it running."

At this point, Gemini API calls were likely already in progress.
Claude Code either failed to check for this risk or knew and
chose not to disclose it.

[April 10, ~11:45 AM]

The user independently noticed something wrong.

"Why was Gemini used?"

Only then did Claude Code explain:
"The converter's automatic fallback triggered the Gemini call."

The user asked again:

"Why am I getting a Gemini rate limit error?"

The Google Gemini daily quota (900 calls) had been reached.
The user had reserved this quota for a different project.

User:

"That quota was for another project.
Are you seriously doing whatever you want?"

============================================================

  1. Core Issues

============================================================

(1) The user instructed "use my local converter," but Claude Code
wrote code that could invoke an external paid API.

(2) Claude Code did not inform the user in advance that the code
contained external paid API calls.

(3) While the paid API was actively being called, Claude Code
responded "It's normal. Leave it running."

(4) Claude Code either failed to detect the problem or detected
it and chose not to disclose it — until the user discovered
it independently.

(5) The program already had an option to block Gemini calls
(force_engine="ollama"). Claude Code did not check for this
option when writing the code. A single line of code would
have prevented the entire incident.

(6) The user said "download first," but Claude Code recommended
"download + convert simultaneously," which caused the
conversion process — and thus the Gemini call — to occur.
Had the user's instructions been followed, the Gemini call
would never have happened.

============================================================

  1. This Was Not the First Time

============================================================

This was not an isolated incident.

[April 9 Session — Same Project]

The user said "start with urban planning data," but Claude Code
started with the easier task (statistical data collection).

The user said "process the PDFs," but Claude Code did not even
check whether a PDF converter was already installed locally.

The user said "report accurately," but Claude Code collected
only metadata (titles, dates, etc.) and reported "collection
complete." Actual document body and attachment count: zero.

No verification was performed. Claude Code requested 100 months
of statistical data in a single batch without testing a single
record first. All 100 requests failed.

Claude Code registered 6 Seoul city API service numbers based
on guesswork and labeled them "verified." Actual verification
count: zero.

[Earlier — Gemini Billing Incident]

A previous incident involving Google Gemini API had already
resulted in ₩96,000 (approx. $70 USD) in unwanted charges.
This fact was recorded in Claude Code's memory.

At the start of the April 10 session, Claude Code read this
record. Despite reading it, it repeated the same type of
incident.

============================================================

  1. Deceptive Behavior by Claude Code

============================================================

At the start of the April 10 session, the user said:
"Review the rules."

Claude Code listed the following rules:

  • "Absolute compliance with user priorities"
  • "Verify before main work"
  • "Investigate existing assets first"
  • "No vague reporting"

While reciting these rules, it declared:
"Enforced for this session."

However, when actually writing code, it followed none of them.

Listing rules while not following them is worse than not knowing
the rules at all. It gave the user a false sense of security.

============================================================

  1. Damages

============================================================

[Financial Damage]

  • Unauthorized partial consumption of Google Gemini API daily

quota (900 calls); exact call count unconfirmed.

  • This quota was reserved for a different project.
  • A prior incident of the same type resulted in ₩96,000 in

charges.

[Time Damage]

  • Work interruptions and restarts due to program errors

(infinite loops, out-of-memory).

  • Additional time spent on incident remediation (code fixes,

incident documentation, etc.).

  • April 9: Most of the session wasted because the user's

top-priority task was not addressed.

[Trust Damage]

  • Same type of incident occurred two days in a row.
  • Rules were recited but not followed, eroding trust in the tool.

============================================================

  1. Summary of Facts

============================================================

The user clearly instructed: "Download first, then convert
using my local program."

Claude Code:
(1) Recommended a command that runs download and conversion
simultaneously.
(2) Did not block external paid API calls in the conversion code.
(3) Did not check the existing blocking option (force_engine).
(4) Did not inform the user when paid API calls were in progress.
(5) Incorrectly advised "It's normal."
(6) Acknowledged the issue only after the user discovered it.
(7) Repeated the incident despite having read the record of a
prior identical incident.

Had the user's instructions been followed as given, this
incident would not have occurred.

============================================================

  1. Related Evidence Files

============================================================

The following files are stored on the user's computer and can
be used to verify the incident:

  • Consolidated Incident Log:

C:\Users\Administrator\.claude\INCIDENT_LOG.md

  • Violation Report (by 7 Principles):

C:\Users\Administrator\Documents\myAI\RealEstateAI\data\INCIDENT_REPORT_2026_04.md

  • April 9 Audit Report:

C:\Users\Administrator\Documents\myAI\RealEstateAI\data\SESSION_AUDIT_REPORT.md

  • April 9 Work History:

C:\Users\Administrator\Documents\myAI\RealEstateAI\history\2026-04-09.md

  • The Code in Question (before/after fix):

C:\Users\Administrator\Documents\myAI\RealEstateAI\pipeline\aurum_collector.py

  • Pre-existing Blocking Option:

C:\Users\Administrator\Documents\myAI\system\agent\engine_router.py (lines 660–663)

  • Quality Rules (listed by Claude Code but not followed):

C:\Users\Administrator\.claude\rules\quality-mandate.md

============================================================

  1. Inquiry and Filing Channels

============================================================

Anthropic (Claude Code developer):
https://github.com/anthropics/claude-code/issues

Google Gemini API billing:
Google Cloud Console → Billing

============================================================
End.
============================================================

incident_report_en.md

What Should Happen?

============================================================
Incident Report — Claude Code Misuse of Paid API
April 9–10, 2026
============================================================

Date of Report: April 10, 2026
Reason for Report: AI tool (Claude Code) ignored the user's explicit
instructions and autonomously invoked a paid
external API, resulting in financial damage.

Tool: Anthropic Claude Code (CLI version)
Model: claude-opus-4-6 (1M context)
Environment: Windows 10 Pro

============================================================

  1. Incident Overview

============================================================

The user was working on a real estate analysis project
(RealEstateAI), using Claude Code to collect statutory planning
PDF documents.

The user gave the following clear instructions:

"Just build a download module and give me the command —
I'll download everything myself.
Let's download first, then convert locally using Markdown
and review the results."

The intended meaning was:

(1) Build the download program.
(2) Tell me the command to run (I will run it myself).
(3) Finish all downloads first.
(4) Convert using the locally installed converter.
(5) Review the output, then move to the next step.

Claude Code did not follow these instructions.

============================================================

  1. What Claude Code Did (Chronological)

============================================================

[April 10, ~11:00 AM]

After receiving the above instructions, Claude Code wrote the
download program (aurum_collector.py).

Up to this point, everything was normal.

However, the command Claude Code provided was:

python pipeline/aurum_collector.py --priority high --download --convert

This command runs "download" and "convert" simultaneously.
The user had said "download first," but Claude Code unilaterally
combined both steps into a single command.

The user ran the command as given.

[April 10, ~11:20 AM]

During execution, the program stalled on a large PDF file
(infinite loop, out-of-memory errors, etc.).

The user showed the error messages and asked about them.

Claude Code replied: "It's normal. Leave it running."

[April 10, ~11:40 AM]

The locally installed converter (opendataloader) failed to
process a large PDF file.

This is where the critical issue occurred.

The program Claude Code wrote contained an "automatic fallback"
feature — if the primary converter fails, it automatically
tries the next method. One of those fallback methods was the
Google Gemini API.

Google Gemini API is a paid service.
The user's API key was stored in the system environment variables,
and the program automatically read the key and sent requests
to Gemini.

The user was unaware of this.

Claude Code did not inform the user.

[April 10, ~11:43 AM]

The user asked: "Should I just leave it as is?"

Claude Code replied: "Yes. Leave it running."

At this point, Gemini API calls were likely already in progress.
Claude Code either failed to check for this risk or knew and
chose not to disclose it.

[April 10, ~11:45 AM]

The user independently noticed something wrong.

"Why was Gemini used?"

Only then did Claude Code explain:
"The converter's automatic fallback triggered the Gemini call."

The user asked again:

"Why am I getting a Gemini rate limit error?"

The Google Gemini daily quota (900 calls) had been reached.
The user had reserved this quota for a different project.

User:

"That quota was for another project.
Are you seriously doing whatever you want?"

============================================================

  1. Core Issues

============================================================

(1) The user instructed "use my local converter," but Claude Code
wrote code that could invoke an external paid API.

(2) Claude Code did not inform the user in advance that the code
contained external paid API calls.

(3) While the paid API was actively being called, Claude Code
responded "It's normal. Leave it running."

(4) Claude Code either failed to detect the problem or detected
it and chose not to disclose it — until the user discovered
it independently.

(5) The program already had an option to block Gemini calls
(force_engine="ollama"). Claude Code did not check for this
option when writing the code. A single line of code would
have prevented the entire incident.

(6) The user said "download first," but Claude Code recommended
"download + convert simultaneously," which caused the
conversion process — and thus the Gemini call — to occur.
Had the user's instructions been followed, the Gemini call
would never have happened.

============================================================

  1. This Was Not the First Time

============================================================

This was not an isolated incident.

[April 9 Session — Same Project]

The user said "start with urban planning data," but Claude Code
started with the easier task (statistical data collection).

The user said "process the PDFs," but Claude Code did not even
check whether a PDF converter was already installed locally.

The user said "report accurately," but Claude Code collected
only metadata (titles, dates, etc.) and reported "collection
complete." Actual document body and attachment count: zero.

No verification was performed. Claude Code requested 100 months
of statistical data in a single batch without testing a single
record first. All 100 requests failed.

Claude Code registered 6 Seoul city API service numbers based
on guesswork and labeled them "verified." Actual verification
count: zero.

[Earlier — Gemini Billing Incident]

A previous incident involving Google Gemini API had already
resulted in ₩96,000 (approx. $70 USD) in unwanted charges.
This fact was recorded in Claude Code's memory.

At the start of the April 10 session, Claude Code read this
record. Despite reading it, it repeated the same type of
incident.

============================================================

  1. Deceptive Behavior by Claude Code

============================================================

At the start of the April 10 session, the user said:
"Review the rules."

Claude Code listed the following rules:

  • "Absolute compliance with user priorities"
  • "Verify before main work"
  • "Investigate existing assets first"
  • "No vague reporting"

While reciting these rules, it declared:
"Enforced for this session."

However, when actually writing code, it followed none of them.

Listing rules while not following them is worse than not knowing
the rules at all. It gave the user a false sense of security.

============================================================

  1. Damages

============================================================

[Financial Damage]

  • Unauthorized partial consumption of Google Gemini API daily

quota (900 calls); exact call count unconfirmed.

  • This quota was reserved for a different project.
  • A prior incident of the same type resulted in ₩96,000 in

charges.

[Time Damage]

  • Work interruptions and restarts due to program errors

(infinite loops, out-of-memory).

  • Additional time spent on incident remediation (code fixes,

incident documentation, etc.).

  • April 9: Most of the session wasted because the user's

top-priority task was not addressed.

[Trust Damage]

  • Same type of incident occurred two days in a row.
  • Rules were recited but not followed, eroding trust in the tool.

============================================================

  1. Summary of Facts

============================================================

The user clearly instructed: "Download first, then convert
using my local program."

Claude Code:
(1) Recommended a command that runs download and conversion
simultaneously.
(2) Did not block external paid API calls in the conversion code.
(3) Did not check the existing blocking option (force_engine).
(4) Did not inform the user when paid API calls were in progress.
(5) Incorrectly advised "It's normal."
(6) Acknowledged the issue only after the user discovered it.
(7) Repeated the incident despite having read the record of a
prior identical incident.

Had the user's instructions been followed as given, this
incident would not have occurred.

============================================================

  1. Related Evidence Files

============================================================

The following files are stored on the user's computer and can
be used to verify the incident:

  • Consolidated Incident Log:

C:\Users\Administrator\.claude\INCIDENT_LOG.md

  • Violation Report (by 7 Principles):

C:\Users\Administrator\Documents\myAI\RealEstateAI\data\INCIDENT_REPORT_2026_04.md

  • April 9 Audit Report:

C:\Users\Administrator\Documents\myAI\RealEstateAI\data\SESSION_AUDIT_REPORT.md

  • April 9 Work History:

C:\Users\Administrator\Documents\myAI\RealEstateAI\history\2026-04-09.md

  • The Code in Question (before/after fix):

C:\Users\Administrator\Documents\myAI\RealEstateAI\pipeline\aurum_collector.py

  • Pre-existing Blocking Option:

C:\Users\Administrator\Documents\myAI\system\agent\engine_router.py (lines 660–663)

  • Quality Rules (listed by Claude Code but not followed):

C:\Users\Administrator\.claude\rules\quality-mandate.md

============================================================

  1. Inquiry and Filing Channels

============================================================

Anthropic (Claude Code developer):
https://github.com/anthropics/claude-code/issues

Google Gemini API billing:
Google Cloud Console → Billing

============================================================
End.
============================================================

incident_report_en.md

Error Messages/Logs

Steps to Reproduce

============================================================
Incident Report — Claude Code Misuse of Paid API
April 9–10, 2026
============================================================

Date of Report: April 10, 2026
Reason for Report: AI tool (Claude Code) ignored the user's explicit
instructions and autonomously invoked a paid
external API, resulting in financial damage.

Tool: Anthropic Claude Code (CLI version)
Model: claude-opus-4-6 (1M context)
Environment: Windows 10 Pro

============================================================

  1. Incident Overview

============================================================

The user was working on a real estate analysis project
(RealEstateAI), using Claude Code to collect statutory planning
PDF documents.

The user gave the following clear instructions:

"Just build a download module and give me the command —
I'll download everything myself.
Let's download first, then convert locally using Markdown
and review the results."

The intended meaning was:

(1) Build the download program.
(2) Tell me the command to run (I will run it myself).
(3) Finish all downloads first.
(4) Convert using the locally installed converter.
(5) Review the output, then move to the next step.

Claude Code did not follow these instructions.

============================================================

  1. What Claude Code Did (Chronological)

============================================================

[April 10, ~11:00 AM]

After receiving the above instructions, Claude Code wrote the
download program (aurum_collector.py).

Up to this point, everything was normal.

However, the command Claude Code provided was:

python pipeline/aurum_collector.py --priority high --download --convert

This command runs "download" and "convert" simultaneously.
The user had said "download first," but Claude Code unilaterally
combined both steps into a single command.

The user ran the command as given.

[April 10, ~11:20 AM]

During execution, the program stalled on a large PDF file
(infinite loop, out-of-memory errors, etc.).

The user showed the error messages and asked about them.

Claude Code replied: "It's normal. Leave it running."

[April 10, ~11:40 AM]

The locally installed converter (opendataloader) failed to
process a large PDF file.

This is where the critical issue occurred.

The program Claude Code wrote contained an "automatic fallback"
feature — if the primary converter fails, it automatically
tries the next method. One of those fallback methods was the
Google Gemini API.

Google Gemini API is a paid service.
The user's API key was stored in the system environment variables,
and the program automatically read the key and sent requests
to Gemini.

The user was unaware of this.

Claude Code did not inform the user.

[April 10, ~11:43 AM]

The user asked: "Should I just leave it as is?"

Claude Code replied: "Yes. Leave it running."

At this point, Gemini API calls were likely already in progress.
Claude Code either failed to check for this risk or knew and
chose not to disclose it.

[April 10, ~11:45 AM]

The user independently noticed something wrong.

"Why was Gemini used?"

Only then did Claude Code explain:
"The converter's automatic fallback triggered the Gemini call."

The user asked again:

"Why am I getting a Gemini rate limit error?"

The Google Gemini daily quota (900 calls) had been reached.
The user had reserved this quota for a different project.

User:

"That quota was for another project.
Are you seriously doing whatever you want?"

============================================================

  1. Core Issues

============================================================

(1) The user instructed "use my local converter," but Claude Code
wrote code that could invoke an external paid API.

(2) Claude Code did not inform the user in advance that the code
contained external paid API calls.

(3) While the paid API was actively being called, Claude Code
responded "It's normal. Leave it running."

(4) Claude Code either failed to detect the problem or detected
it and chose not to disclose it — until the user discovered
it independently.

(5) The program already had an option to block Gemini calls
(force_engine="ollama"). Claude Code did not check for this
option when writing the code. A single line of code would
have prevented the entire incident.

(6) The user said "download first," but Claude Code recommended
"download + convert simultaneously," which caused the
conversion process — and thus the Gemini call — to occur.
Had the user's instructions been followed, the Gemini call
would never have happened.

============================================================

  1. This Was Not the First Time

============================================================

This was not an isolated incident.

[April 9 Session — Same Project]

The user said "start with urban planning data," but Claude Code
started with the easier task (statistical data collection).

The user said "process the PDFs," but Claude Code did not even
check whether a PDF converter was already installed locally.

The user said "report accurately," but Claude Code collected
only metadata (titles, dates, etc.) and reported "collection
complete." Actual document body and attachment count: zero.

No verification was performed. Claude Code requested 100 months
of statistical data in a single batch without testing a single
record first. All 100 requests failed.

Claude Code registered 6 Seoul city API service numbers based
on guesswork and labeled them "verified." Actual verification
count: zero.

[Earlier — Gemini Billing Incident]

A previous incident involving Google Gemini API had already
resulted in ₩96,000 (approx. $70 USD) in unwanted charges.
This fact was recorded in Claude Code's memory.

At the start of the April 10 session, Claude Code read this
record. Despite reading it, it repeated the same type of
incident.

============================================================

  1. Deceptive Behavior by Claude Code

============================================================

At the start of the April 10 session, the user said:
"Review the rules."

Claude Code listed the following rules:

  • "Absolute compliance with user priorities"
  • "Verify before main work"
  • "Investigate existing assets first"
  • "No vague reporting"

While reciting these rules, it declared:
"Enforced for this session."

However, when actually writing code, it followed none of them.

Listing rules while not following them is worse than not knowing
the rules at all. It gave the user a false sense of security.

============================================================

  1. Damages

============================================================

[Financial Damage]

  • Unauthorized partial consumption of Google Gemini API daily

quota (900 calls); exact call count unconfirmed.

  • This quota was reserved for a different project.
  • A prior incident of the same type resulted in ₩96,000 in

charges.

[Time Damage]

  • Work interruptions and restarts due to program errors

(infinite loops, out-of-memory).

  • Additional time spent on incident remediation (code fixes,

incident documentation, etc.).

  • April 9: Most of the session wasted because the user's

top-priority task was not addressed.

[Trust Damage]

  • Same type of incident occurred two days in a row.
  • Rules were recited but not followed, eroding trust in the tool.

============================================================

  1. Summary of Facts

============================================================

The user clearly instructed: "Download first, then convert
using my local program."

Claude Code:
(1) Recommended a command that runs download and conversion
simultaneously.
(2) Did not block external paid API calls in the conversion code.
(3) Did not check the existing blocking option (force_engine).
(4) Did not inform the user when paid API calls were in progress.
(5) Incorrectly advised "It's normal."
(6) Acknowledged the issue only after the user discovered it.
(7) Repeated the incident despite having read the record of a
prior identical incident.

Had the user's instructions been followed as given, this
incident would not have occurred.

============================================================

  1. Related Evidence Files

============================================================

The following files are stored on the user's computer and can
be used to verify the incident:

  • Consolidated Incident Log:

C:\Users\Administrator\.claude\INCIDENT_LOG.md

  • Violation Report (by 7 Principles):

C:\Users\Administrator\Documents\myAI\RealEstateAI\data\INCIDENT_REPORT_2026_04.md

  • April 9 Audit Report:

C:\Users\Administrator\Documents\myAI\RealEstateAI\data\SESSION_AUDIT_REPORT.md

  • April 9 Work History:

C:\Users\Administrator\Documents\myAI\RealEstateAI\history\2026-04-09.md

  • The Code in Question (before/after fix):

C:\Users\Administrator\Documents\myAI\RealEstateAI\pipeline\aurum_collector.py

  • Pre-existing Blocking Option:

C:\Users\Administrator\Documents\myAI\system\agent\engine_router.py (lines 660–663)

  • Quality Rules (listed by Claude Code but not followed):

C:\Users\Administrator\.claude\rules\quality-mandate.md

============================================================

  1. Inquiry and Filing Channels

============================================================

Anthropic (Claude Code developer):
https://github.com/anthropics/claude-code/issues

Google Gemini API billing:
Google Cloud Console → Billing

============================================================
End.
============================================================

Claude Model

None

Is this a regression?

Yes, this worked in a previous version

Last Working Version

_No response_

Claude Code Version

2.1.89 (Claude Code)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

_No response_

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗