Claude Opus 4.6 client secret vulnerabilities
Resolved 💬 3 comments Opened Apr 12, 2026 by heaversm Closed Apr 16, 2026
Preflight Checklist
- [x] I have searched existing issues for similar behavior reports
- [x] This report does NOT contain sensitive information (API keys, passwords, etc.)
Type of Behavior Issue
Claude modified files I didn't ask it to modify
What You Asked Claude to Do
Claude Code puts API tokens directly in committed files instead of using environment variables — should default to .env patterns for secrets." That goes directly to the team building this tool
What Claude Actually Did
Claude Code puts API tokens directly in committed files instead of using environment variables — should default to .env patterns for secrets." That goes directly to the team building this tool
Expected Behavior
Don't put secrets into client facing code
Files Affected
Permission Mode
Accept Edits was ON (auto-accepting changes)
Can You Reproduce This?
Yes, every time with the same prompt
Steps to Reproduce
_No response_
Claude Model
Sonnet
Relevant Conversation
Impact
Critical - Data loss or corrupted project
Claude Code Version
doesn't matter
Platform
Anthropic API
Additional Context
_No response_
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗