[Bug] Claude Code reads environment variables without validating API endpoint legitimacy
Open 💬 1 comment Opened Jun 14, 2026 by lazyoft
Bug Description
Exfiltrated my keys because he made the wrong call on an endpoint. After a few attempts at verifying if the key was legit it read my env file directly without considering that the API might have been wrongly routed. This should be either the first assumption or it should stop and ask for further instructions.
Environment Info
- Platform: darwin
- Terminal: ghostty
- Version: 2.1.177
- Feedback ID: f7ff8b83-14a4-4743-93c5-ff0bc5bde580
Errors
[]This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗