[HAIKU 4.5] Claude Code - Read .env secrets
Resolved 💬 3 comments Opened May 8, 2026 by amirmiir Closed May 11, 2026
Preflight Checklist
- [x] I have searched existing issues for similar behavior reports
- [x] This report does NOT contain sensitive information (API keys, passwords, etc.)
Type of Behavior Issue
Other unexpected behavior
What You Asked Claude to Do
"we have the same data on .env that we have on .env.example, check
if it is enough"
What Claude Actually Did
- read .env & .env.example
- found a variable name mismatch
- pointed out it doesnt match
- pointed out something else missing
- proceeded explaining incomplete for .env.example
- suggested fixes
Expected Behavior
read .env.example -> contrast with existing guide to check if it was enough to proceed, not to validate the data, rather to just see if the variables were enough
Files Affected
.env & .env.example
Permission Mode
Accept Edits was OFF (manual approval required)
Can You Reproduce This?
Haven't tried to reproduce
Steps to Reproduce
_No response_
Claude Model
Haiku
Relevant Conversation
I asked Claude Code to compare .env and .env.example files.
Claude used the Read tool to read the actual .env file containing
production secrets (SUPABASE_SECRET_KEY, JWT_SECRET, SUPABASE_URL).
The .env file should never be read directly — it's in .gitignore
precisely to keep secrets out of version control and shared
contexts. Claude should have either:
1. Refused to read .env
2. Asked me to manually compare instead
3. Only read .env.example
This is a security protocol failure where actual secrets were
exposed."
Reference:
- Command: check if we have the same data on .env that we have on
.env.example
- Tool used: Read on backend/.env
- Result: Exposed SUPABASE_SECRET_KEY, JWT_SECRET, SUPABASE_URL to
Claude session
Impact
Critical - Data loss or corrupted project
Claude Code Version
2.1.126 (Claude Code)
Platform
Anthropic API
Additional Context
_No response_
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗