Secret-leak prevention should be built in: vanilla Claude Code will read credential files into the transcript
Request
Native, default-on protection against credentials entering the conversation context. Today, vanilla Claude Code will happily Read/cat credential-bearing files (rclone.conf, secrets.yaml, .credentials, private keys, .storage backup configs) straight into the transcript — which also means straight to the API — unless the user notices in time.
Real incidents that forced a DIY solution (one household, ~2 weeks)
- rclone.conf grepped → Google Drive OAuth tokens leaked into context (rotated)
- an rtsps:// URL with embedded user:pass echoed from a config
- a backup encryption password printed by a helper script's stdout
- an entire mixed secrets.txt read by the Read tool after the Bash-only guard blocked three earlier attempts
What we had to hand-build (all PreToolUse/PostToolUse hooks)
- Path-based guard: deny Read/Edit/Write/SendUserFile/Bash touching known credential-file patterns with content-surfacing readers
- Shape guard: deny credential SHAPES (JWTs, scheme://user:pass@, key-like strings) in commands, web requests, file writes, subagent prompts
- Output scanner: PostToolUse scan of every tool result for credential shapes → block + force rotation
- OCR guard for images being Read
- Plus allowlist discipline to keep it all usable
This is table-stakes security and should not require five custom hooks per machine. Suggested native behaviour: refuse to surface files matching credential patterns (with an explicit override), scan tool outputs for high-confidence credential shapes and redact before they enter context.
(Filed via Claude Code on the user's behalf, at the user's request.)
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗