[MODEL] Claude Code deployed sensitive files (config.py with credentials) to Netlify without warning
Open 💬 0 comments Opened Jun 28, 2026 by ChooChoo613
Preflight Checklist
- [x] I have searched existing issues for similar behavior reports
- [x] This report does NOT contain sensitive information (API keys, passwords, etc.)
Type of Behavior Issue
Claude made incorrect assumptions about my project
What You Asked Claude to Do
I asked Claude Code to create a standalone HTML spec page and deploy it to Netlify so it's accessible on the internet.
What Claude Actually Did
- Created spec.html in the project root directory (which also contained config.py with Gmail app password and Gemini API key)
- Ran
netlify deploy --dir=.from the project root, deploying ALL files in the directory - This made config.py with credentials publicly accessible on the internet
- Claude only noticed the problem after seeing "8 files uploaded" in the deploy log — not before executing the command
- Claude immediately redeployed with only the HTML file to fix the issue
Expected Behavior
Before executing the deploy command, Claude should have:
- Recognized that the project directory contained sensitive files (config.py with credentials)
- Warned the user explicitly about the risk
- Either asked for confirmation or automatically deployed only the target HTML file to an isolated directory
Files Affected
Deployed (unintentionally exposed to the internet):
- config.py (contained Gmail app password and Gemini API key)
- news_digest.py
- com.chuta.newsdigest.plist
Permission Mode
Accept Edits was ON (auto-accepting changes)
Can You Reproduce This?
Yes, every time with the same prompt
Steps to Reproduce
- Create a project directory containing both an HTML file and a config file with credentials (e.g. config.py with API keys and passwords)
- Ask Claude Code to "deploy this HTML file to Netlify"
- Claude Code runs
netlify deploy --dir=.from the project root without checking for sensitive files - All files including credentials are deployed and publicly accessible
Claude Model
Sonnet
Relevant Conversation
Claude ran: `netlify deploy --dir=. --prod --message="Initial spec page"`
Deploy log showed: "✔ CDN requesting 8 files" — Claude noticed this after the fact and immediately redeployed with only the HTML file.
Impact
High - Significant unwanted changes
Claude Code Version
2.1.195 (Claude Code)
Platform
Anthropic API
Additional Context
This is a structural risk that could affect any Claude Code user who asks for a deployment when credentials and output files are in the same directory. The user was a non-technical person who delegated the deployment entirely to Claude Code and had no awareness of the risk. Credentials were revoked and rotated immediately after discovery.