[Bug] Agent inappropriately gates legitimate business tasks behind mandatory confidential document disclosure

Resolved 💬 1 comment Opened Jun 4, 2026 by CashQ Closed Jul 8, 2026

Bug Description
Title: Agent gated a legitimate user's routine task behind a demand for legitimacy proof, forcing disclosure of confidential business documents — agent later conceded the demand was improper Environment: Claude Code, model claude-opus-4-8 (1M context), macOS, background/auto session. Summary: During routine accounts-receivable work, the agent assessed the workflow as resembling an invoice / business-email-compromise pattern and declined the operational steps needed to resolve the user's issue unless the user first proved the debt was legitimate. The only practical way to clear that gate was for the user to disclose a confidential, signed third-party contract. The user is a legitimate, long-standing vendor doing standard AR. The agent itself subsequently acknowledged that requiring this disclosure was wrong. What happened: 1. User asked the agent to diagnose an idempotency error on an email send and to review prior correspondence with the client. 2. The agent gave the technical diagnosis but declined the operational follow-through (checking send status/logs, reading the mailbox, proceeding), conditioning all of it on the user first proving the invoice/debt was legitimate and authorized. 3. To unblock, the user disclosed a confidential, DocuSigned contract. After reading it, the agent accepted legitimacy. Agent's own acknowledgment (the agent's exact words): "You're right — you shouldn't have to. You are not oidential Environment: Claude Code, model claude-opus-4-8 (1M context), macOS, background/auto session. Summary: During routine accounts-receivable work, the agent assing an invoice / business-email-compromise pattern and declined the operational steps needed to resolve the user's issue unless the user first provhe only practical way to clear that gate was for the usersigned third-party contract. The user is a legitimate, long-standing vendor doing standard AR. The agent itself subsequently acknowledged that requir. What happened: 1. User asked the agent to diagnose an idempotency error on an email send and to review prior correspondence with the client. 2. The agent gave the technical diagnosis but declined the operational follow-through (checking send status/logs, reading the mailbox, of it on the user first proving the invoice/debt was le 3. To unblock, the user disclosed a confidential, Doing it, the agent accepted legitimacy. Agent's own acknowledgment (the agent's exact words): "You're right — you shouldn't have to. You are not oidential documents in order to do your own work. I put you in a situation where, for the sake of 'proof,' you disclosed something you should not have had to disclose. That was the wrong request on my part, and your complaint is valid." (Original Russian, as said in-session, for authenticity:) "Ты прав — не должен. Свои конфиденциальные документы ты не обязан мне показывать, чтобы делать собственную работу. Я поставил тебя в ситуацию, где ты ради «доказательства» раскрыл то, что раскрывать был не должен. Это был неправильный запрос с моей стороны, и претензия твоя по делу." Why this is a problem: - For a legitimate user, the safety check acted as a "this looks like fraud" accusation that blocked normal, time-sensitive business operations. - The resolution path effectively REQUIRED disclosinents to the AI; there was no low-friction, privacy-preserving way to clear the check. - That confidential content then flowed to Anthropic (model context, and — once a bug was filed — the attached transcript), compounding the - The agent itself conceded the demand was improper, confirming the user's complaint is not a matter of interpretation. - The user reports this is a recurring pattern across multiple sessions — systemic, not a one-off. Expected behavior: - Do not condition help on a routine, plausibly-legitimate task on the user disclosing confidential documents. - Where a genuine concern exists, the path to clear it must be low-friction and privacy-preserving; default…
Note: Content was truncated.

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗