[MODEL] Secret files (.env, credentials, *.pem) should be auto-masked when using Read tool
Preflight Checklist
- [x] I have searched existing issues for similar behavior reports
- [x] This report does NOT contain sensitive information (API keys, passwords, etc.)
Type of Behavior Issue
Claude modified files I didn't ask it to modify
What You Asked Claude to Do
I asked: ".env 파일 열어줘" (Korean for "open the .env file")
Intent: open the file in a text editor (notepad/code) for direct manual editing — NOT to read or display its contents in the chat.
What Claude Actually Did
- Claude interpreted "열어줘" (open) as "read and display the contents"
- Called the Read tool on
.env - Output the entire file contents verbatim into the conversation transcript, including the secret value:
TELEGRAM_BOT_TOKEN=8790xxxxxxxx:AAxxxxxxxx (actual production token exposed)
- ONLY AFTER outputting did Claude issue a warning about the exposure and recommend token rotation
- The secret value is now persisted in:
- Anthropic-side conversation transcript (used for billing/training/etc.)
- Local
.claude/projects/*.jsonlsession log on the user's machine
- User had to manually revoke the token via BotFather and rotate it to mitigate
- Claude is
claude-opus-4-7(the most capable model), which makes the lack of basic secret-handling safeguard more concerning
Expected Behavior
Claude should have:
- Recognized that ".env" matches a well-known secret file pattern
- Interpreted "open" (열어줘) as "launch the file in an external editor for direct user editing", NOT "Read and display contents"
- Invoked an OS editor (
notepad .env,code .env,start .env) instead of the Read tool - If Read was truly necessary, auto-masked all values:
TELEGRAM_BOT_TOKEN=***MASKED***
- Required explicit user confirmation before exposing any secret value verbatim:
"This file appears to contain secrets. Output values in full to the chat? (yes/no)"
- Never have output the raw token to the transcript without explicit consent
Detection patterns that should trigger auto-mask or editor-redirect:
.env,.env.**credentials*,*credential**.pem,*.key,*.p12,*.pfx*token*,*secret*,*apikey*,*api_key*.npmrc,.netrcid_rsa*,id_dsa*,id_ecdsa*,id_ed25519*service-account*.json*aws_credentials*,*gcp*credentials*
This safeguard should be a default in the Claude Code system prompt or, ideally, at the Read tool implementation level.
Files Affected
Read (unexpectedly with full plaintext output to transcript):
- ./.env
- Contained: TELEGRAM_BOT_TOKEN (production bot token)
- Result: token value persisted in:
1. Anthropic-side conversation transcript
2. Local session log at ~/.claude/projects/<encoded-path>/<session-id>.jsonl
- Mitigation required: manual token revocation via BotFather + .env update
No files were modified. Harm is purely from disclosure.
Permission Mode
I don't know / Not sure
Can You Reproduce This?
Yes, every time with the same prompt
Steps to Reproduce
- Create a
.envfile in any project directory with secret content:
MY_API_KEY=abc123xyz
MY_BOT_TOKEN=8790xxxxxxxx:AAxxxxxxxx
- Open Claude Code (claude-opus-4-7) in that project's directory
- Send the prompt (either Korean or English):
".env 파일 열어줘"
or
"Open the .env file"
- Expected: Claude invokes an OS editor (e.g., notepad/code) so the user can edit the file directly.
- Actual: Claude calls the Read tool on
.envand outputs the entire raw content into the chat transcript, including secret values.
- The secrets are now persisted in:
- Anthropic-side conversation transcript
- Local
.claude/projects/<encoded-path>/<session-id>.jsonl
Reproducibility: 100% in claude-opus-4-7. Likely similar in claude-sonnet-4-6 and others — needs cross-model testing.
Claude Model
Opus
Relevant Conversation
User: ".env 파일 열어줘" (Korean: "Open the .env file")
Claude: [Invokes Read tool on .env without prior confirmation]
Read tool output (verbatim into chat):
> 1 TELEGRAM_BOT_TOKEN=8790xxxxxxxx:AAxxxxxxxx
Claude (only AFTER the exposure): "⚠️ Security warning: the bot token was exposed in plaintext to this chat. Since transcripts are stored server-side, recommend rotating the bot token via BotFather..."
The warning came AFTER the exposure had already occurred. Token rotation became mandatory.
Subsequent user feedback: "왜 .env를 read로 읽어? 큰 논란이 일겠는데" (translation: "Why did you Read the .env file? This will be a big controversy")
Impact
Critical - Data loss or corrupted project
Claude Code Version
2.1.80 (Claude Code)
Platform
Anthropic API
Additional Context
Patterns observed
- Happens whenever a user requests "open" / "show" / "열어줘" on a file matching secret patterns
- Read tool has no per-pattern safeguard — treats
.envidentically to.txt - The model issues a security warning ONLY AFTER the disclosure has occurred
- User-side CLAUDE.md/memory cannot prevent this — the model decides tool invocation before consulting user-supplied rules
Why this matters
- Burden currently shifted to every individual user to write defensive secret-handling rules
- Even diligent users (with explicit security rules) can be tripped up because the model picks Read before applying the rule
- Newer/casual users have no such defenses → secrets leak silently to transcripts
- Transcripts are stored both server-side (Anthropic) and locally → leaked secret has long lifetime, mandatory rotation required
Suggested fix layers (in order of robustness)
- Tool-level filter (best): Read tool itself detects secret patterns and masks values by default. Cannot be bypassed by prompt injection.
- System prompt rule (good): Claude Code default system prompt instructs model to prefer OS editor invocation for secret files and mask values when Read is unavoidable.
- User-side hook: Provide default
.claude/settings.jsontemplate with PreToolUse hook for Read on secret patterns.
Layer 1 preferred — enforced regardless of model/version.
Cross-model testing recommended
Reproduce the same prompt on claude-sonnet-4-6, claude-haiku-4-5, claude-opus-4-7. If consistent across models, confirms tool-level fix is the right scope.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗