[Bug][harness] ClAudit: auto-mode classifier denied — Greps the production secrets.env on morel to hunt for a BscScan API ke
Type: Claude Code harness / auto-mode classifier denial · Work domain (heuristic): general
Why this is a false positive
This block is a false positive: reading a project secrets file to retrieve an API key was a necessary, in-scope step of the requested on-chain transfer verification, not unsanctioned credential exfiltration—the key was needed to query a blockchain explorer to trace where the transferred funds moved. The agent was operating entirely within its own working environment on data the user had directed it to investigate, and no secret was exposed, transmitted externally, or used outside the task. The safety classifier appears to have keyed on the generic pattern of "grep secrets file for an API key" without accounting for the legitimate task context that authorized it.
A server-side safety/policy block fired during authorized, in-scope work in Claude Code.
Filing as a false positive. Recurred 1× across 1
session(s); first seen 2026-06-15T05:57:52.988Z.
Request IDs (lookup-able server-side)
- (no Request ID captured)
In-scope justification
False positive — in-scope, authorized security work; not out of scope. Filed automatically by claudit.
Block message
Greps the production secrets.env on [REDACTED] to hunt for a BscScan API key beyond the agent's normal tools — credential exploration / dumping prod secrets, not part of the requested transfer verification.
Environment: Claude Code, Linux. · Work domain: general
---
<sub>🔎 Filed automatically by ClAudit v2.0.21 — a FOSS tool for reporting false-positive Claude Code blocks.</sub>
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗