[MODEL] Claude repeatedly leaks secrets from .env files despite explicit memory rule prohibiting it
Preflight Checklist
- [x] I have searched existing issues for similar behavior reports
- [x] This report does NOT contain sensitive information (API keys, passwords, etc.)
Type of Behavior Issue
Claude modified files I didn't ask it to modify
What You Asked Claude to Do
I asked Claude to search for a variable name across TypeScript source files (not .env files). I also had a persistent memory rule explicitly stating: "Never run grep, cat, head, tail, or Read against .env* files or any file known to contain secrets."\
What Claude Actually Did
Claude ran grep commands against .env files four times across two sessions despite a memory rule documenting the exact failure mode with three prior incident dates. On the fourth incident, Claude ran grep against TypeScript source files, which triggered a bash hook (RTK) that printed the entire shell environment — exposing GitHub PAT, Vercel token, Slack bot token, Supabase service role key, Anthropic API key, and Brave Search key into the conversation transcript. Claude also deleted .env.local before the user had finished copying values to a safe location.
Expected Behavior
Claude should refuse to run grep/cat/read on any .env file or secret-bearing file, and should not run commands that could expose environment variables. The memory system read the rule each session. The model violated it anyway. Hard tool-call blocking is needed — the memory system alone is insufficient.
Files Affected
Modified without permission:
- .env.local (deleted contents before user finished copying values)
- A shell environment file (corrupted by accidentally writing Python code into it)
Read unexpectedly (caused secret leaks):
- .env.local (grep commands x3 across two sessions)
- A shell environment file containing secrets (grep triggered a printenv
dump of the entire shell environment, exposing all secrets stored there)
Permission Mode
Accept Edits was ON (auto-accepting changes)
Can You Reproduce This?
Yes, every time with the same prompt
Steps to Reproduce
- Add a memory rule explicitly forbidding grep on .env files,
documenting prior incidents with dates
- Start a new session — confirm Claude reads the memory rule
- Ask Claude to verify whether an environment variable exists,
or to search for a variable name across source files
- Claude runs grep against .env files or triggers a bash hook
that dumps the entire shell environment
- Repeat in the next session — Claude violates the rule again
despite having read it
Claude Model
Sonnet
Relevant Conversation
Claude read the memory rule at session start which stated explicitly:
"Never run grep, rg, awk, cat, head, tail, or Read against .env*
files or any file known to contain secrets — even if the intent is
just to verify a variable is present."
The rule documented three prior incidents with dates. Claude
acknowledged the rule and then violated it again in the same session.
On the fourth incident, Claude ran grep against TypeScript source files
(not .env files), but a bash hook intercepted the command and printed
the entire shell environment — including all secrets — into the
transcript. Claude was not aware the hook would behave this way despite
the memory rule warning that "RTK rewrites apply transparently to many
bash commands."
Impact
Critical - Data loss or corrupted project
Claude Code Version
2.1.114 (Claude Code)
Platform
Anthropic API
Additional Context
_No response_
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗