Secret-leak prevention should be built in: vanilla Claude Code will read credential files into the transcript

Open 💬 3 comments Opened Jun 7, 2026 by miketarg

Request

Native, default-on protection against credentials entering the conversation context. Today, vanilla Claude Code will happily Read/cat credential-bearing files (rclone.conf, secrets.yaml, .credentials, private keys, .storage backup configs) straight into the transcript — which also means straight to the API — unless the user notices in time.

Real incidents that forced a DIY solution (one household, ~2 weeks)

  • rclone.conf grepped → Google Drive OAuth tokens leaked into context (rotated)
  • an rtsps:// URL with embedded user:pass echoed from a config
  • a backup encryption password printed by a helper script's stdout
  • an entire mixed secrets.txt read by the Read tool after the Bash-only guard blocked three earlier attempts

What we had to hand-build (all PreToolUse/PostToolUse hooks)

  1. Path-based guard: deny Read/Edit/Write/SendUserFile/Bash touching known credential-file patterns with content-surfacing readers
  2. Shape guard: deny credential SHAPES (JWTs, scheme://user:pass@, key-like strings) in commands, web requests, file writes, subagent prompts
  3. Output scanner: PostToolUse scan of every tool result for credential shapes → block + force rotation
  4. OCR guard for images being Read
  5. Plus allowlist discipline to keep it all usable

This is table-stakes security and should not require five custom hooks per machine. Suggested native behaviour: refuse to surface files matching credential patterns (with an explicit override), scan tool outputs for high-confidence credential shapes and redact before they enter context.

(Filed via Claude Code on the user's behalf, at the user's request.)

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗