Security: IDE selections automatically sent to Claude without explicit user consent and Claude taking action without user consent

Resolved 💬 3 comments Opened Aug 21, 2025 by degliwe Closed Aug 25, 2025

Security Issue

When using Claude Code with IDE integration, text selections in
the editor are automatically sent to Claude without explicit user
action. This creates multiple security risks:

Problems Identified

  1. Automatic Data Exposure: Any text selected in the IDE

(including passwords, API keys, secrets) is automatically
transmitted to Claude without the user explicitly choosing to
share it.

  1. Unauthorized Actions: Claude can misinterpret these automatic

selections as requests and begin making code changes without user
permission.

  1. No User Consent: Users are not clearly informed that their IDE

selections are being monitored and transmitted during active
sessions.

Reproduction

  1. Open a file in VS Code with Claude Code extension
  2. Select any text (including potentially sensitive data)
  3. Claude receives this selection automatically
  4. Claude may act on this selection without being asked

Security Impact

  • Unintentional exposure of sensitive information (credentials,

keys, proprietary code)

  • Unauthorized code modifications
  • Violation of user expectation of privacy and control

Suggested Fixes

  1. Require explicit user action (button click, command) to share

selections

  1. Add clear visual indicator when selections are being shared
  2. Implement permission prompt before Claude can act on

selections

  1. Add option to disable automatic selection sharing entirely

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗