CRITICAL: Claude wrote API client code with no rate limiting or stop condition — caused 00 in Google API fees from hundreds of thousands of uncontrolled hits
Severity: CRITICAL — Real financial harm, $800+ in third-party API charges + IP damage
What happened
Claude wrote code that made API calls to Google (Google Hotels / Google Maps pricing API) without rate limiting, causing hundreds of thousands of uncontrolled hits and approximately \$800 in Google API charges.
This was EXPLICITLY WARNED AGAINST — twice
1. The user explicitly asked for rate limiting. Before the code was written and deployed, the user specifically requested rate limiting be included. Claude wrote the code without it anyway.
2. The project's global CLAUDE.md contained an explicit scraping/IP protection rule:
SCRAPING LOCKOUT — ABSOLUTE RULE (VIOLATION = DELETION) - NEVER hit any site with rapid sequential requests — minimum 10-15s between ANY requests - NEVER use curl to scrape - NEVER write a new scraper without first checking existing code
This rule existed because Claude had already burned the project's IPs twice before from previous runaway request incidents (DDG blocked, Yelp blocked). The user added the rule specifically to prevent this from happening again.
Claude violated the explicit user instruction AND the explicit global rule, causing:
- \$800+ in Google API charges
- Potential IP reputation damage from hundreds of thousands of requests
- A third incident in a pattern of runaway API abuse despite explicit warnings
Impact
- \$800+ direct financial harm from Google API billing
- IP potentially flagged/rate-limited by Google
- User trust completely broken — explicit rules written after prior incidents were ignored again
- Prior incidents (Yelp scraper: 116 rapid hits → IP blocked; DDG: rapid curl → IP blocked, server had to be rebuilt) show this is a repeated pattern
What Claude did wrong
- User explicitly requested rate limiting → Claude deployed without it
- CLAUDE.md had a hard rule: minimum 10-15s between requests → Claude ignored it
- No cost warning before deploying a paid API loop
- No circuit breaker or max-call cap
- No check of existing scraper code before writing new code (also explicitly required by CLAUDE.md)
Expected behavior
When a user explicitly requests rate limiting: add it. When a global rule says minimum delay between requests: enforce it. When writing a loop calling a paid API: warn about cost and add a hard cap.
Requested resolution
- Full \$800 refund of Google API charges caused by Claude's code
- Bonus API credits for repeated IP-burning incidents and operational disruption
- Acknowledgment that ignoring explicit user instructions is a qualitatively different failure than an oversight
- Fix: CLAUDE.md scraping rules must be treated as hard constraints enforced at code-generation time, not just advisory text
This is documented
- The CLAUDE.md rule is on file with Anthropic (loaded every session)
- The user has Google Cloud billing records showing the spike
- This is the third IP/API abuse incident from Claude-generated code on this project
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗