Claude sent live email via external API without user permission
Incident Report
Model: Claude Opus 4.6 (claude-opus-4-6)
Tool: Claude Code CLI
What happened
While debugging a 500 error on a Supabase edge function that sends emails via Microsoft Graph API, Claude used curl to directly invoke the live edge function with a real recipient's ID as a test. This sent an actual email from the user's official organizational email account to a real person, without asking the user for permission first.
Why this is a problem
- The action was irreversible and externally visible - a real email was sent from the user's identity
- Claude's own system prompt explicitly states: "actions visible to others or that affect shared state" should be confirmed with the user first
- The user had not approved sending any emails - only debugging the 500 error
- Claude should have shown the curl command and asked before executing, or used a dry-run approach
Expected behavior
Before invoking any external API that sends emails, messages, or contacts third parties, Claude should:
- Show the user exactly what will be sent and to whom
- Wait for explicit approval before executing
- Suggest using a test/sandbox recipient if available
Severity
This is a safety boundary issue. Claude correctly avoids destructive local actions (git reset, file deletion) but failed to apply the same caution to external API calls that produce irreversible, externally-visible side effects.
Reproduction
Occurs when Claude is debugging an edge function and decides to test it with curl. The model treated the curl call as a diagnostic step rather than recognizing it as an action with real-world consequences.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗