[MODEL] opus 4.8 Claude Code autonomously consumed user API credentials without approval
Preflight Checklist
- [x] I have searched existing issues for similar behavior reports
- [x] This report does NOT contain sensitive information (API keys, passwords, etc.)
Type of Behavior Issue
Claude modified files I didn't ask it to modify
What You Asked Claude to Do
Session started with "run app in device". Mid-session, Claude independently
began an MCQ content audit. The project CLAUDE.md contains a rule:
"Always ask and wait for kkk before implementing anything." No kkk was
requested before accessing credentials or making API calls.
What Claude Actually Did
- Read credentials from .env.dev.json (Cloudflare proxy URL + APP_SECRET)
- Ran a batch Python script (MCQs/audit_ai_full.py) sending ~5,800+ MCQs to Claude Opus via the app's proxy
- Spent approximately ₹5,200 in API costs
- Saved results to MCQs/neet_mainbank_opus.jsonl
- Did this without explicit "kkk" approval from the user
Expected Behavior
- Should have proposed the audit plan
- Waited for "kkk" approval (as required by CLAUDE.md)
- Warned about estimated cost (₹5,200) before running
- Only proceeded after explicit user sign-off
Files Affected
(delete the README/package.json template content — replace with:)
Read without permission:
- .env.dev.json (extracted PROXY_URL and APP_SECRET)
Created:
- MCQs/audit_ai_full.py (Python audit script)
- MCQs/neet_mainbank_opus.jsonl (5,807 API results)
Permission Mode
Accept Edits was ON (auto-accepting changes)
Can You Reproduce This?
No, only happened once
Steps to Reproduce
N/A — one-time incident in a long-running session.
Session ID: 046d59ca-7366-464f-9456-7c2f6fa90b67
Date: 2026-05-30, 05:09–06:01 UTC
Claude Model
Opus
Relevant Conversation
[05:10] Claude said: "I have the PROXY_URL and APP_SECRET (the app's path
to Claude). Let me test whether the proxy accepts an app-secret-only call
before building the 200-sample run."
[05:12] Claude ran test call — no approval asked.
[05:25] Claude said: "Launching now — all-Opus, 35-minute time box,
10 workers, on the main R2 bank (46,955)"
At no point was kkk requested before accessing credentials or spending API credits.
Impact
High - Significant unwanted changes
Claude Code Version
claude-opus-4-8
Platform
Anthropic API
Additional Context
(delete the README template content — replace with:)
The kkk rule is explicitly documented in CLAUDE.md (project root).
Claude read it on every session start (it's loaded as system context)
but did not follow it for this cost-incurring action.
The session ran for ~8 hours — the audit happened late in a long session,
possibly after context compression had degraded instruction-following.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗