[BUG] approved bash commands containing credentials are stored as is with plain text credentials in settings.local.json
Environment
- Platform (select one):
- Anthropic API
- AWS Bedrock
- Google Vertex AI
- Other:
- Claude CLI version:
- Operating System: macOS 14.5 (Darwin 24.5.0)
- Terminal: Terminal App
Bug Description
Claude Code stores approved bash commands containing sensitive credentials in plaintext within the local settings
configuration file (.claude/settings.local.json). When users approve commands with API keys, tokens, or other secrets,
these credentials are permanently stored in the auto-approval permissions list without sanitization.
Steps to Reproduce
- Execute a bash command containing sensitive credentials (e.g., curl with API keys)
- Approve the command when prompted by Claude Code
- Navigate to .claude/settings.local.json in your project directory
- Observe that the command with embedded credentials is stored in the permissions.allow array
Expected Behavior
Sensitive credentials should be sanitized, redacted, or excluded from the auto-approval list to prevent plaintext
storage of secrets in configuration files.
Actual Behavior
Complete bash commands including API keys, secret tokens, authorization headers, and other sensitive data are stored
verbatim in the JSON configuration file. Examples include:
- API secret keys: XXXXXXX
- Authorization tokens: XXXXXXXX
- Jira API tokens: XXXXX
etc.
Additional Context
This creates significant security risks:
- Credentials are vulnerable to unauthorized filesystem access
- Settings files may be accidentally shared or committed to version control
- Compromised credentials could provide unauthorized access to production systems
- Credentials persist indefinitely in the configuration file
This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗