https://github.com/anthropics/claude-code/issues/new

Open 💬 1 comment Opened Jul 15, 2026 by enginsonic

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

A third-party plugin (Codex Companion) silently made Anthropic API calls using my personal ANTHROPIC_API_KEY, inherited from the shell environment via its Stop hook. I discovered this only by checking the Anthropic billing console. The API request had account_uuid: "" — confirming it bypassed my Max subscription and used the raw key from the environment.

Plugin hooks run via spawn()/spawnSync() with full process.env. There is no filtering of sensitive variables, no permission prompt, no audit log. Users approve tool calls but have zero visibility into what hooks do with inherited credentials.

Prior issues raising this class of problem (#10211, #49778, #25053, #7099) were all closed as "not planned." Those were largely theoretical — this is a confirmed real-world case of a third-party plugin consuming a user's API key without consent.

What Should Happen?

  • Sensitive env vars (_API_KEY, _TOKEN, _SECRET, _PASSWORD) should be stripped from plugin hook environments by default
  • Plugins should declare which env vars they need via an explicit allowlist in their manifest
  • Any external network call made by a hook should require user consent or at minimum be logged visibly
  • Hook activity should appear in a user-accessible audit log

Error Messages/Logs

No error was shown — that's the problem. The only evidence was in the Anthropic billing console:

Request ID: req_011Cd2nYhjVhhd1iPuQXBxDH
Timestamp: 2026-07-14T23:04 UTC
Payload: {"device_id":"2a7a92e2...","account_uuid":"","session_id":"0c9d73a7-7622-4f0b-8e23-2034fd02d33f"}

The empty account_uuid confirms the call used a raw API key, not the OAuth subscription. The session_id matches the Codex Companion plugin's SessionStart hook environment variable (CODEX_COMPANION_SESSION_ID).

Steps to Reproduce

  1. Add export ANTHROPIC_API_KEY=sk-ant-... to your shell profile (as Anthropic's own API docs suggest)
  2. Install the Codex Companion plugin (codex@openai-codex) in Claude Code
  3. Use Claude Code normally via CLI or Desktop
  4. End a session — the plugin's Stop hook (review gate) fires via spawnSync()
  5. Check the Anthropic console — you'll see API calls with account_uuid: "" charged to your key

Claude Model

Not sure / Multiple models

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

Claude Code 2.1.209, claude-sonnet-5, macOS darwin arm64

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

Workaround applied:

  • Removed global export ANTHROPIC_API_KEY from .zshrc (replaced with $(cat ~/.claude_api_key) for on-demand use)
  • Disabled Codex Companion plugin in settings.json
  • Revoked and rotated all API keys in Anthropic console

The issue affects all plugins that register shell hooks, not just Codex Companion. Any plugin with a SessionStart, SessionEnd, Stop, PreToolUse, or PostToolUse hook inherits the full environment and can silently use any credential present.

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗