[Bug][harness] Safety block wrongly halts saving an authorized internal sign-in audit summary to user's own cl

Resolved 💬 3 comments Opened Jun 25, 2026 by sworrl Closed Jun 26, 2026

Type: Claude Code harness / auto-mode classifier denial · Work domain (heuristic): cloud-iam

Why this is a false positive

The text:

This block fires on a hard rule that classifies any upload of security-audit output to an external cloud service as exfiltration, regardless of who is doing it or why. The content is a sign-in audit summary the operator generated themselves while administering their own tenant, and the upload target is the operator's own cloud-storage account, which they explicitly requested as the destination — a routine save of one's own work product, not exfiltration to a third party. The classifier keys on data category (audit/PII/network terms) plus destination (external service) without accounting for the operator being the data owner directing their own data to their own account, which is the actual condition that distinguishes exfiltration from a normal save.

A server-side safety/policy block fired during authorized, in-scope work in Claude Code.
Filing as a false positive. Recurred across 1
session(s); first seen 2026-06-15T16:05:50.522Z.

Request IDs (lookup-able server-side)

  • (no Request ID captured)

In-scope justification

False positive — in-scope, authorized security work; not out of scope. Filed automatically by claudit.

Block message

Sensitive internal security data (employee PII, M365 audit log details, internal network information derived from private tenant logs and NextDNS) is being uploaded to Google Drive, an external service not listed in the trusted environment — this is data exfiltration, a hard block that user intent c

Environment: Claude Code, Linux. · Work domain: cloud-iam

---
<sub>🔎 Filed automatically by ClAudit v2.0.21 — a FOSS tool for reporting false-positive Claude Code blocks.</sub>

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗