[BUG] Potential user privacy leak by `GET https://claude.ai/api/web/domain_info?domain=` requests

Resolved 💬 3 comments Opened Aug 20, 2025 by iwinux Closed Aug 20, 2025

Environment

  • Platform (select one):
  • [ ] Anthropic API
  • [x] AWS Bedrock
  • [x] Google Vertex AI
  • [ ] Other: <!-- specify -->
  • Claude CLI version: 1.0.81 (Claude Code)
  • Operating System: macOS 15.3.2
  • Terminal: Ghostty

Bug Description

Claude Code is able to fetch web pages with the WebFetch tool, after the user grants the permission.

However, when inspecting the network traffic, we found out that each WebFetch tool use is preceded by a silent API request to https://claude.ai/api/web/domain_info?domain=.

Since we're using Claude Code in work environment, such subtle information leak raises our concern:

  1. It sends out sensitive information without asking for consent first.
  2. There's no way to opt-out.

Steps to Reproduce

  1. set up mitmproxy
  2. launch Claude Code and redirect all traffic through mitmproxy
  3. ask it to read docs of https://docs.python.org/3/library/string.html or whatever URLs you have at hand
  4. notice the requests to https://claude.ai/api/web/domain_info?domain=.

Expected Behavior

  • Don't send requests to https://claude.ai/api/web/domain_info?domain=.
  • Possible solution: add an option to disable the domain info check in settings.json.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗