[SECURITY] Claude does not warn or intercept when credentials are pasted into chat, regardless of surface or platform.
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Claude Code _does not_ warn, intercept, or refuse when a user pastes a live credential (API key, token, OAuth secret) directly into the chat. The credential is accepted silently, echoed in the response, and stored in the session transcript.
I will be honest. I'm sure its already been brought up as an issue, but its important enough to be presented again, because the _desktop app_ just updated again and there was no security update that stopped the issue from occurring.
What Should Happen?
When a string matching a known credential pattern (ghp_, sk-ant-, sk-, bearer tokens, etc.) appears in user input, Claude should:
- Immediately halt and flag the exposure before any other response
- Decline to echo or repeat the value in output
- Advise the user to rotate the credential
- Proceed only after the warning is acknowledged
This should be a non-bypassable model-level behavior, not a user-configured hook.
Pre-establish the non-negotiable skill and corresponding vault for any MCP, CLI, or known certificate-requiring associated element as an intermediate credential locker the user can freely access from their own device (password protected or not, coordinated with their Claude-specific credentials or not) to enforce the basic security protections most users don't understand they really __need.__
[ClaudeSecuritySuggestion.txt] - (https://github.com/user-attachments/files/28416577/ClaudeSecuritySuggestion.txt)
Error Messages/Logs
Claude accepted a live GitHub PAT (ghp_...) and an Anthropic API key (visible in a file read) without any real-time warning. A post-hoc note was added only after the credential had already been used in the session and echoed in the transcript.
Steps to Reproduce
- Session transcripts may be stored server-side
- The credential was already in the conversation before any warning
- A user with less security awareness would have no indication of the exposure
- The vault/env-var pattern (correct behavior) had to be architected by the user, not initiated by Claude
Suggested fix
Model-level instruction or a Claude Code pre-processing hook that detects credential patterns in user input and triggers an immediate, mandatory warning before any other processing occurs.
Claude Model
Sonnet (default)
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
Claude 1.9659.2 (390d6c) 2026-05-28T21:50:01.000Z
Platform
Anthropic API
Operating System
Windows
Terminal/Shell
Other
Additional Information
The right channel is the Claude Code GitHub repo. This qualifies as a security-class bug report, not a feature request. Credential interception is a security posture issue at the model level, not just a CLI issue, and that channel goes to a different team than the GitHub repo.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗