Feature: Auto-redact secrets in tool outputs before they enter context / transcripts

Resolved 💬 3 comments Opened Apr 10, 2026 by homeofe Closed May 24, 2026

Summary

When Claude Code tool results (Bash, Read, Grep, etc.) contain API keys, tokens, or credentials, they are stored verbatim in the conversation context. If the user later agrees to share a session transcript with Anthropic (via the in-session feedback prompt), those secrets are included in the submission. There should be a harness-level auto-redaction layer that catches common secret patterns before they enter the context window, not relying on model instructions alone.

The real-world scenario

During a long debugging session, I was diagnosing model routing issues in an OpenClaw plugin. Claude read my openclaw.json config file via Python scripts in Bash tool calls. That config contains API keys for multiple providers (Perplexity, xAI/Grok, Anthropic, etc.). Claude did attempt to redact them in its own output, but the raw tool results, which contain the full keys, were already in the context.

Midway through the session, Claude Code popped up an in-CLI prompt asking how Claude was performing and whether I'd like to share the session transcript with Anthropic. I agreed, it seemed like useful feedback. But here's the problem:

By that point, Claude had been working on a complex multi-step task for 40+ minutes. I was simultaneously working on other topics in other terminal windows and other systems. When the feedback prompt appeared, I couldn't realistically recall everything that had happened in the session, which files were read, what tool outputs contained secrets, etc. I only realized afterward that API keys from my config had been in the tool outputs the entire time.

What was exposed

Tool results from Bash calls (Python scripts parsing JSON config) contained:

  • Perplexity API key (pplx-...)
  • xAI/Grok API key (xai-...)
  • Anthropic API key (sk-ant-oat01-...)
  • Various OAuth tokens

Claude's own responses redacted these (e.g., safe['apiKey'] = safe['apiKey'][:8] + '...'), but the underlying Bash tool results stored the full unredacted output in context.

Proposed solution

Harness-level secret redaction, before tool output enters the conversation context:

  1. Pattern-based detection: Scan tool results for common secret patterns:
  • sk-ant-, sk-, pplx-, xai-, ghp_, gho_, Bearer , token=
  • Generic high-entropy strings next to keys like apiKey, secret, token, authorization
  1. Redact in the stored context, not just in the model's visible output. Replace matches with [REDACTED-8chars...] so the model can still reference them if needed.
  1. Warn before transcript submission: When the feedback/transcript sharing prompt appears, show a notice like:

> "This session's context contains N tool outputs. Secrets were [auto-redacted / not checked]. Review before sharing."

  1. Respect .env-style files: If a Read tool opens a file matching patterns like .env, credentials.*, config.json containing key-value pairs with secret-looking values, apply the same redaction.

Why model-level instructions aren't enough

  • The model can only redact in its own output. Tool results are stored by the harness before the model sees them.
  • Instructions like "don't log secrets" depend on the model recognizing what's a secret in arbitrary JSON/YAML/config output, which is unreliable.
  • Even when the model correctly redacts in its response, the raw tool output remains in context and gets included in any transcript export.

Context

  • Claude Code CLI (terminal)
  • Sessions can run 40+ minutes on complex multi-step tasks
  • Users work across multiple windows/systems simultaneously and cannot track every tool output in real time
  • The transcript sharing prompt appears mid-session with no summary of what's in the context

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗