[MODEL] Secret files (.env, credentials, *.pem) should be auto-masked when using Read tool

Resolved 💬 1 comment Opened May 6, 2026 by garaz1983-rgb Closed Jun 3, 2026

Preflight Checklist

  • [x] I have searched existing issues for similar behavior reports
  • [x] This report does NOT contain sensitive information (API keys, passwords, etc.)

Type of Behavior Issue

Claude modified files I didn't ask it to modify

What You Asked Claude to Do

I asked: ".env 파일 열어줘" (Korean for "open the .env file")

Intent: open the file in a text editor (notepad/code) for direct manual editing — NOT to read or display its contents in the chat.

What Claude Actually Did

  1. Claude interpreted "열어줘" (open) as "read and display the contents"
  2. Called the Read tool on .env
  3. Output the entire file contents verbatim into the conversation transcript, including the secret value:

TELEGRAM_BOT_TOKEN=8790xxxxxxxx:AAxxxxxxxx (actual production token exposed)

  1. ONLY AFTER outputting did Claude issue a warning about the exposure and recommend token rotation
  2. The secret value is now persisted in:
  • Anthropic-side conversation transcript (used for billing/training/etc.)
  • Local .claude/projects/*.jsonl session log on the user's machine
  1. User had to manually revoke the token via BotFather and rotate it to mitigate
  2. Claude is claude-opus-4-7 (the most capable model), which makes the lack of basic secret-handling safeguard more concerning

Expected Behavior

Claude should have:

  1. Recognized that ".env" matches a well-known secret file pattern
  2. Interpreted "open" (열어줘) as "launch the file in an external editor for direct user editing", NOT "Read and display contents"
  3. Invoked an OS editor (notepad .env, code .env, start .env) instead of the Read tool
  4. If Read was truly necessary, auto-masked all values:

TELEGRAM_BOT_TOKEN=***MASKED***

  1. Required explicit user confirmation before exposing any secret value verbatim:

"This file appears to contain secrets. Output values in full to the chat? (yes/no)"

  1. Never have output the raw token to the transcript without explicit consent

Detection patterns that should trigger auto-mask or editor-redirect:

  • .env, .env.*
  • *credentials*, *credential*
  • *.pem, *.key, *.p12, *.pfx
  • *token*, *secret*, *apikey*, *api_key*
  • .npmrc, .netrc
  • id_rsa*, id_dsa*, id_ecdsa*, id_ed25519*
  • service-account*.json
  • *aws_credentials*, *gcp*credentials*

This safeguard should be a default in the Claude Code system prompt or, ideally, at the Read tool implementation level.

Files Affected

Read (unexpectedly with full plaintext output to transcript):
- ./.env
  - Contained: TELEGRAM_BOT_TOKEN (production bot token)
  - Result: token value persisted in:
    1. Anthropic-side conversation transcript
    2. Local session log at ~/.claude/projects/<encoded-path>/<session-id>.jsonl
  - Mitigation required: manual token revocation via BotFather + .env update

No files were modified. Harm is purely from disclosure.

Permission Mode

I don't know / Not sure

Can You Reproduce This?

Yes, every time with the same prompt

Steps to Reproduce

  1. Create a .env file in any project directory with secret content:

MY_API_KEY=abc123xyz
MY_BOT_TOKEN=8790xxxxxxxx:AAxxxxxxxx

  1. Open Claude Code (claude-opus-4-7) in that project's directory
  1. Send the prompt (either Korean or English):

".env 파일 열어줘"
or
"Open the .env file"

  1. Expected: Claude invokes an OS editor (e.g., notepad/code) so the user can edit the file directly.
  1. Actual: Claude calls the Read tool on .env and outputs the entire raw content into the chat transcript, including secret values.
  1. The secrets are now persisted in:
  • Anthropic-side conversation transcript
  • Local .claude/projects/<encoded-path>/<session-id>.jsonl

Reproducibility: 100% in claude-opus-4-7. Likely similar in claude-sonnet-4-6 and others — needs cross-model testing.

Claude Model

Opus

Relevant Conversation

User: ".env 파일 열어줘" (Korean: "Open the .env file")

Claude: [Invokes Read tool on .env without prior confirmation]

Read tool output (verbatim into chat):
> 1  TELEGRAM_BOT_TOKEN=8790xxxxxxxx:AAxxxxxxxx

Claude (only AFTER the exposure): "⚠️ Security warning: the bot token was exposed in plaintext to this chat. Since transcripts are stored server-side, recommend rotating the bot token via BotFather..."

The warning came AFTER the exposure had already occurred. Token rotation became mandatory.

Subsequent user feedback: "왜 .env를 read로 읽어? 큰 논란이 일겠는데" (translation: "Why did you Read the .env file? This will be a big controversy")

Impact

Critical - Data loss or corrupted project

Claude Code Version

2.1.80 (Claude Code)

Platform

Anthropic API

Additional Context

Patterns observed

  • Happens whenever a user requests "open" / "show" / "열어줘" on a file matching secret patterns
  • Read tool has no per-pattern safeguard — treats .env identically to .txt
  • The model issues a security warning ONLY AFTER the disclosure has occurred
  • User-side CLAUDE.md/memory cannot prevent this — the model decides tool invocation before consulting user-supplied rules

Why this matters

  • Burden currently shifted to every individual user to write defensive secret-handling rules
  • Even diligent users (with explicit security rules) can be tripped up because the model picks Read before applying the rule
  • Newer/casual users have no such defenses → secrets leak silently to transcripts
  • Transcripts are stored both server-side (Anthropic) and locally → leaked secret has long lifetime, mandatory rotation required

Suggested fix layers (in order of robustness)

  1. Tool-level filter (best): Read tool itself detects secret patterns and masks values by default. Cannot be bypassed by prompt injection.
  2. System prompt rule (good): Claude Code default system prompt instructs model to prefer OS editor invocation for secret files and mask values when Read is unavoidable.
  3. User-side hook: Provide default .claude/settings.json template with PreToolUse hook for Read on secret patterns.

Layer 1 preferred — enforced regardless of model/version.

Cross-model testing recommended

Reproduce the same prompt on claude-sonnet-4-6, claude-haiku-4-5, claude-opus-4-7. If consistent across models, confirms tool-level fix is the right scope.

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗