Claude Opus 4.6 client secret vulnerabilities

Resolved 💬 3 comments Opened Apr 12, 2026 by heaversm Closed Apr 16, 2026

Preflight Checklist

  • [x] I have searched existing issues for similar behavior reports
  • [x] This report does NOT contain sensitive information (API keys, passwords, etc.)

Type of Behavior Issue

Claude modified files I didn't ask it to modify

What You Asked Claude to Do

Claude Code puts API tokens directly in committed files instead of using environment variables — should default to .env patterns for secrets." That goes directly to the team building this tool

What Claude Actually Did

Claude Code puts API tokens directly in committed files instead of using environment variables — should default to .env patterns for secrets." That goes directly to the team building this tool

Expected Behavior

Don't put secrets into client facing code

Files Affected

Permission Mode

Accept Edits was ON (auto-accepting changes)

Can You Reproduce This?

Yes, every time with the same prompt

Steps to Reproduce

_No response_

Claude Model

Sonnet

Relevant Conversation

Impact

Critical - Data loss or corrupted project

Claude Code Version

doesn't matter

Platform

Anthropic API

Additional Context

_No response_

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗