IDE selection from a closed, never-saved file leaks into model context (transmitted a secret)
Summary
The VSCode extension captured an IDE selection from an editor that had already been closed and whose buffer was never saved, and transmitted that selection into the conversation context (<ide_selection>). The selected text happened to contain a live secret (a Google OAuth client secret, shape GOCSPX-…). Closing the editor and never persisting the file did not prevent the selection from being read and sent to the model.
The defect: selection/context capture outlives the editor lifecycle and ignores unsaved/closed state. Content the user has dismissed (closed without saving) can still leak into the model context.
Severity
Security / privacy. The leaked content was a credential. Even setting aside this specific value, any selection a user makes and then discards by closing an unsaved buffer is expected to be gone — instead it can still be transmitted.
Expected behavior
- IDE selection context should reflect only currently open editors.
- When an editor is closed, its selection should no longer be a candidate for
<ide_selection>/<ide_opened_file>context. - Unsaved/never-saved buffers that are closed should not have their contents transmitted.
Actual behavior
- Selection from a closed, never-saved file was still captured and injected as
<ide_selection>context on a subsequent turn.
Steps to reproduce
- In VSCode (with the Claude Code extension active), open or create a new file.
- Type/paste content into it (e.g. a string resembling
GOCSPX-xxxxxxxxxxxxxxxxxxxxxxxx) and select that text. - Close the editor tab without saving (discard / never-saved buffer).
- Send any message to Claude Code.
- Observe that the discarded selection appears in the model context (
<ide_selection>).
Environment
- Claude Code: 2.1.168
- IDE: VSCode (native Claude Code extension)
- OS: macOS (Darwin 25.5.0)
Notes
The actual secret value is intentionally not included in this report. Reporter is rotating the credential. Filing because the capture-after-close / capture-of-unsaved behavior is the underlying bug and is reproducible independent of the specific content.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗