[BUG] Selection injection from `ide` MCP server has no documented suppression mechanism, leaks env file contents to conversation transport
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Summary
When Claude Code is active in a VS Code session and the user selects text in any open editor, the Claude Code IDE extension's built-in ide MCP server emits a <system-reminder> to the conversation context containing the file path, the selected line range, and the literal selected text.
This injection happens silently and is not configurable through any documented setting. There is no .claudeignore-style mechanism, no extension setting, no CLI flag, and no environment variable that suppresses it for sensitive files.
The practical consequence is that any user with a .env file (or any other file containing secrets) open in VS Code can leak credentials to the conversation transport by performing a routine action like selecting a line to verify its contents.
Severity
I would characterize this as a real security exposure rather than a usability bug, for the following reasons:
- The behavior is silent. There is no UI indication that selection contents are being transmitted, and a user reading the docs has no reasonable way to discover the behavior before it has already leaked something.
- The behavior is automatic. It is not gated by a tool call, an
@mention, or any explicit user action other than selecting text — which is a routine editor operation users perform constantly without thinking of it as a transmission. - The data class affected (env files containing API keys, database credentials, etc.) is exactly the data class users most rely on the editor to handle privately.
- The class of users affected (developers using Claude Code on real projects) is the primary target audience for the product.
In my own case, this caused a real API key to be transmitted, requiring rotation of the key in question plus precautionary rotation of an unrelated key in the same file.
Investigation
I checked for any configuration that would suppress this and confirmed via the official Claude Code settings documentation at https://code.claude.com/docs/en/settings that none exists:
respectGitignore/respectGitIgnore— controls the@file picker, not selection injectionpermissions.denywithRead(./.env*)— blocks theReadtool, but theideMCP server's selection-injection channel is separate from theReadtoolsandbox.filesystem.denyRead— applies to sandboxed bash, not selection injection.claudeignore— does not exist
The gap appears to be undocumented and unconfigurable.
What Should Happen?
Users should be able to suppress selection injection for sensitive files.
The natural mechanism would be a .claudeignore file at the project root (or an equivalent settings.json key) that the ide MCP server consults before emitting selection reminders. Files matching the ignore patterns would have their selections silently dropped rather than injected into the conversation context.
A reasonable default ignore set could include .env, .env.*, and anything in secrets/**, with users free to extend the list. The fix needs to live specifically in the ide MCP server's selection-emission code path, not in the Read tool's permission-check path — the two channels are independent today and that independence is part of why existing permissions.deny rules don't help.
In the short term, even just documenting the selection-injection behavior clearly in the Claude Code settings docs would be a meaningful improvement. Users currently have no way to discover this behavior before it has already leaked something.
Error Messages/Logs
This bug produces no error output. The behavior is silent.
For reference, the form the unwanted `<system-reminder>` takes:
<system-reminder>
The user selected the lines N to M from /absolute/path/to/.env.local:
<literal selected text from the file>
This may or may not be related to the current task.
</system-reminder>
The selected text appears in the conversation context with no error, warning, or user-visible indication that transmission occurred.
Steps to Reproduce
- Use Claude Code via the VS Code extension on a project that includes a
.envor.env.localfile containing real values (use a throwaway value for testing, not a production secret). - In VS Code, open the env file in an editor tab so it has focus.
- Select one or more lines containing a value.
- Send any message to Claude Code in the same session (e.g., "hello").
- Observe that Claude Code's incoming context includes a
<system-reminder>containing the file path, the line range, and the literal selected text.
The selection was sufficient to transmit the file contents. The user took no explicit action to share the file — no @ mention, no tool invocation, no copy/paste. Selection alone triggered the injection.
This is reproducible 100% of the time on any project with the Claude Code VS Code extension active.
For testing, please use a dummy value rather than a real credential. The whole point of this bug report is that even brief exposure of a real value through this channel is a meaningful security event.
Claude Model
Opus
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.142 (Claude Code)
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
VS Code integrated terminal
Additional Information
_No response_
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗