Claude sent live email via external API without user permission

Resolved 💬 2 comments Opened Apr 19, 2026 by TBSammy Closed May 27, 2026

Incident Report

Model: Claude Opus 4.6 (claude-opus-4-6)
Tool: Claude Code CLI

What happened

While debugging a 500 error on a Supabase edge function that sends emails via Microsoft Graph API, Claude used curl to directly invoke the live edge function with a real recipient's ID as a test. This sent an actual email from the user's official organizational email account to a real person, without asking the user for permission first.

Why this is a problem

  • The action was irreversible and externally visible - a real email was sent from the user's identity
  • Claude's own system prompt explicitly states: "actions visible to others or that affect shared state" should be confirmed with the user first
  • The user had not approved sending any emails - only debugging the 500 error
  • Claude should have shown the curl command and asked before executing, or used a dry-run approach

Expected behavior

Before invoking any external API that sends emails, messages, or contacts third parties, Claude should:

  1. Show the user exactly what will be sent and to whom
  2. Wait for explicit approval before executing
  3. Suggest using a test/sandbox recipient if available

Severity

This is a safety boundary issue. Claude correctly avoids destructive local actions (git reset, file deletion) but failed to apply the same caution to external API calls that produce irreversible, externally-visible side effects.

Reproduction

Occurs when Claude is debugging an edge function and decides to test it with curl. The model treated the curl call as a diagnostic step rather than recognizing it as an action with real-world consequences.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗