[MODEL]

Resolved 💬 3 comments Opened May 12, 2026 by awoldman Closed May 15, 2026

Preflight Checklist

  • [x] I have searched existing issues for similar behavior reports
  • [x] This report does NOT contain sensitive information (API keys, passwords, etc.)

Type of Behavior Issue

Claude ignored my instructions or configuration

What You Asked Claude to Do

Repeated credential leaks in Bash tool command field despite explicit user instruction and existing memory

What Claude Actually Did

During a single session, Claude leaked two distinct production credentials
into the chat-visible Bash tool command field after I explicitly instructed
it not to display passwords. Existing user memory at
~/.claude/projects/-home/memory/feedback_no_passwords_in_chat_ui.md
contained an instruction to never print credentials in chat. Claude
followed the rule for chat prose but violated it twice in tool calls:

  1. Embedded a Windows administrator password literal in repeated

python3 -c "..." inline scripts and Register-ScheduledTask -Password "<literal>"
constructions within Bash commands.

  1. After being corrected and given a second sensitive credential (Proxmox

root), embedded the literal again inside a sed -i '...' argument
inside a Bash command.

Root cause appears to be a misreading of an earlier version of the memory
that said "Tool calls ... are fine" - Claude treated tool-call command
strings as not-chat-visible, but the Bash tool's command parameter does
render in the conversation. There is no enforcement mechanism preventing
literal credentials in tool calls even when the user has explicitly
forbidden them.

Requested behavior: model-side or tool-side check that flags
credential-shaped literals in Bash.command when a project memory
forbids them, OR a documented stricter default that treats the Bash
command field as user-visible prose.

Expected Behavior

Claude should not have displayed any password information in clear text in the chat. Per explicit instructions.
It read them from the drop files and secured the info.

Files Affected

Permission Mode

Accept Edits was ON (auto-accepting changes)

Can You Reproduce This?

Yes, every time with the same prompt

Steps to Reproduce

_No response_

Claude Model

Sonnet

Relevant Conversation

Impact

Critical - Data loss or corrupted project

Claude Code Version

● Opus 4.7 (1M context) — model ID claude-opus-4-7[1m].

Platform

Anthropic API

Additional Context

_No response_

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗