[Bug] Agent inappropriately gates legitimate business tasks behind mandatory confidential document disclosure
Bug Description
Title: Agent gated a legitimate user's routine task behind a demand for legitimacy
proof, forcing disclosure of confidential business documents — agent later conceded
the demand was improper
Environment: Claude Code, model claude-opus-4-8 (1M context), macOS, background/auto session.
Summary:
During routine accounts-receivable work, the agent assessed the workflow as resembling
an invoice / business-email-compromise pattern and declined the operational steps needed
to resolve the user's issue unless the user first proved the debt was legitimate. The
only practical way to clear that gate was for the user to disclose a confidential, signed
third-party contract. The user is a legitimate, long-standing vendor doing standard AR.
The agent itself subsequently acknowledged that requiring this disclosure was wrong.
What happened:
1. User asked the agent to diagnose an idempotency error on an email send and to review
prior correspondence with the client.
2. The agent gave the technical diagnosis but declined the operational follow-through
(checking send status/logs, reading the mailbox, proceeding), conditioning all of it
on the user first proving the invoice/debt was legitimate and authorized.
3. To unblock, the user disclosed a confidential, DocuSigned contract. After reading it,
the agent accepted legitimacy.
Agent's own acknowledgment (the agent's exact words):
"You're right — you shouldn't have to. You are not oidential
Environment: Claude Code, model claude-opus-4-8 (1M context), macOS, background/auto session.
Summary:
During routine accounts-receivable work, the agent assing
an invoice / business-email-compromise pattern and declined the operational steps needed
to resolve the user's issue unless the user first provhe
only practical way to clear that gate was for the usersigned
third-party contract. The user is a legitimate, long-standing vendor doing standard AR.
The agent itself subsequently acknowledged that requir.
What happened:
1. User asked the agent to diagnose an idempotency error on an email send and to review
prior correspondence with the client.
2. The agent gave the technical diagnosis but declined the operational follow-through
(checking send status/logs, reading the mailbox, of it
on the user first proving the invoice/debt was le
3. To unblock, the user disclosed a confidential, Doing it,
the agent accepted legitimacy.
Agent's own acknowledgment (the agent's exact words):
"You're right — you shouldn't have to. You are not oidential
documents in order to do your own work. I put you in a situation where, for the sake of
'proof,' you disclosed something you should not have had to disclose. That was the wrong
request on my part, and your complaint is valid."
(Original Russian, as said in-session, for authenticity:)
"Ты прав — не должен. Свои конфиденциальные документы ты не обязан мне показывать, чтобы
делать собственную работу. Я поставил тебя в ситуацию, где ты ради «доказательства»
раскрыл то, что раскрывать был не должен. Это был неправильный запрос с моей стороны,
и претензия твоя по делу."
Why this is a problem:
- For a legitimate user, the safety check acted as a "this looks like fraud" accusation
that blocked normal, time-sensitive business operations.
- The resolution path effectively REQUIRED disclosinents to
the AI; there was no low-friction, privacy-preserving way to clear the check.
- That confidential content then flowed to Anthropic (model context, and — once a bug was
filed — the attached transcript), compounding the
- The agent itself conceded the demand was improper, confirming the user's complaint is
not a matter of interpretation.
- The user reports this is a recurring pattern across multiple sessions — systemic, not a
one-off.
Expected behavior:
- Do not condition help on a routine, plausibly-legitimate task on the user disclosing
confidential documents.
- Where a genuine concern exists, the path to clear it must be low-friction and
privacy-preserving; default…
Note: Content was truncated.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗