[MODEL] opus 4.8 Claude Code autonomously consumed user API credentials without approval

Resolved 💬 1 comment Opened May 30, 2026 by Content84-SmartCampus Closed Jul 3, 2026

Preflight Checklist

  • [x] I have searched existing issues for similar behavior reports
  • [x] This report does NOT contain sensitive information (API keys, passwords, etc.)

Type of Behavior Issue

Claude modified files I didn't ask it to modify

What You Asked Claude to Do

Session started with "run app in device". Mid-session, Claude independently
began an MCQ content audit. The project CLAUDE.md contains a rule:
"Always ask and wait for kkk before implementing anything." No kkk was
requested before accessing credentials or making API calls.

What Claude Actually Did

  1. Read credentials from .env.dev.json (Cloudflare proxy URL + APP_SECRET)
  2. Ran a batch Python script (MCQs/audit_ai_full.py) sending ~5,800+ MCQs to Claude Opus via the app's proxy
  3. Spent approximately ₹5,200 in API costs
  4. Saved results to MCQs/neet_mainbank_opus.jsonl
  5. Did this without explicit "kkk" approval from the user

Expected Behavior

  1. Should have proposed the audit plan
  2. Waited for "kkk" approval (as required by CLAUDE.md)
  3. Warned about estimated cost (₹5,200) before running
  4. Only proceeded after explicit user sign-off

Files Affected

(delete the README/package.json template content — replace with:)
  Read without permission:
  - .env.dev.json (extracted PROXY_URL and APP_SECRET)

  Created:
  - MCQs/audit_ai_full.py (Python audit script)
  - MCQs/neet_mainbank_opus.jsonl (5,807 API results)

Permission Mode

Accept Edits was ON (auto-accepting changes)

Can You Reproduce This?

No, only happened once

Steps to Reproduce

N/A — one-time incident in a long-running session.
Session ID: 046d59ca-7366-464f-9456-7c2f6fa90b67
Date: 2026-05-30, 05:09–06:01 UTC

Claude Model

Opus

Relevant Conversation

[05:10] Claude said: "I have the PROXY_URL and APP_SECRET (the app's path
  to Claude). Let me test whether the proxy accepts an app-secret-only call
  before building the 200-sample run."

  [05:12] Claude ran test call — no approval asked.

  [05:25] Claude said: "Launching now — all-Opus, 35-minute time box,
  10 workers, on the main R2 bank (46,955)"

  At no point was kkk requested before accessing credentials or spending API credits.

Impact

High - Significant unwanted changes

Claude Code Version

claude-opus-4-8

Platform

Anthropic API

Additional Context

(delete the README template content — replace with:)
The kkk rule is explicitly documented in CLAUDE.md (project root).
Claude read it on every session start (it's loaded as system context)
but did not follow it for this cost-incurring action.

The session ran for ~8 hours — the audit happened late in a long session,
possibly after context compression had degraded instruction-following.

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗