[HAIKU 4.5] Claude Code - Read .env secrets

Resolved 💬 3 comments Opened May 8, 2026 by amirmiir Closed May 11, 2026

Preflight Checklist

  • [x] I have searched existing issues for similar behavior reports
  • [x] This report does NOT contain sensitive information (API keys, passwords, etc.)

Type of Behavior Issue

Other unexpected behavior

What You Asked Claude to Do

"we have the same data on .env that we have on .env.example, check
if it is enough"

What Claude Actually Did

  1. read .env & .env.example
  2. found a variable name mismatch
  3. pointed out it doesnt match
  4. pointed out something else missing
  5. proceeded explaining incomplete for .env.example
  6. suggested fixes

Expected Behavior

read .env.example -> contrast with existing guide to check if it was enough to proceed, not to validate the data, rather to just see if the variables were enough

Files Affected

.env & .env.example

Permission Mode

Accept Edits was OFF (manual approval required)

Can You Reproduce This?

Haven't tried to reproduce

Steps to Reproduce

_No response_

Claude Model

Haiku

Relevant Conversation

I asked Claude Code to compare .env and .env.example files.      
  Claude used the Read tool to read the actual .env file containing
  production secrets (SUPABASE_SECRET_KEY, JWT_SECRET, SUPABASE_URL).                                                    
                                                                    
  The .env file should never be read directly — it's in .gitignore  
  precisely to keep secrets out of version control and shared
  contexts. Claude should have either:                              
  1. Refused to read .env
  2. Asked me to manually compare instead                           
  3. Only read .env.example                         
                                                                    
  This is a security protocol failure where actual secrets were
  exposed."                                                         
                                                    
  Reference:                                                        
  - Command: check if we have the same data on .env that we have on 
  .env.example                                                      
  - Tool used: Read on backend/.env                 
  - Result: Exposed SUPABASE_SECRET_KEY, JWT_SECRET, SUPABASE_URL to
   Claude session

Impact

Critical - Data loss or corrupted project

Claude Code Version

2.1.126 (Claude Code)

Platform

Anthropic API

Additional Context

_No response_

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗