https://github.com/anthropics/claude-code/issues/new
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
A third-party plugin (Codex Companion) silently made Anthropic API calls using my personal ANTHROPIC_API_KEY, inherited from the shell environment via its Stop hook. I discovered this only by checking the Anthropic billing console. The API request had account_uuid: "" — confirming it bypassed my Max subscription and used the raw key from the environment.
Plugin hooks run via spawn()/spawnSync() with full process.env. There is no filtering of sensitive variables, no permission prompt, no audit log. Users approve tool calls but have zero visibility into what hooks do with inherited credentials.
Prior issues raising this class of problem (#10211, #49778, #25053, #7099) were all closed as "not planned." Those were largely theoretical — this is a confirmed real-world case of a third-party plugin consuming a user's API key without consent.
What Should Happen?
- Sensitive env vars (_API_KEY, _TOKEN, _SECRET, _PASSWORD) should be stripped from plugin hook environments by default
- Plugins should declare which env vars they need via an explicit allowlist in their manifest
- Any external network call made by a hook should require user consent or at minimum be logged visibly
- Hook activity should appear in a user-accessible audit log
Error Messages/Logs
No error was shown — that's the problem. The only evidence was in the Anthropic billing console:
Request ID: req_011Cd2nYhjVhhd1iPuQXBxDH
Timestamp: 2026-07-14T23:04 UTC
Payload: {"device_id":"2a7a92e2...","account_uuid":"","session_id":"0c9d73a7-7622-4f0b-8e23-2034fd02d33f"}
The empty account_uuid confirms the call used a raw API key, not the OAuth subscription. The session_id matches the Codex Companion plugin's SessionStart hook environment variable (CODEX_COMPANION_SESSION_ID).
Steps to Reproduce
- Add
export ANTHROPIC_API_KEY=sk-ant-...to your shell profile (as Anthropic's own API docs suggest) - Install the Codex Companion plugin (
codex@openai-codex) in Claude Code - Use Claude Code normally via CLI or Desktop
- End a session — the plugin's Stop hook (review gate) fires via spawnSync()
- Check the Anthropic console — you'll see API calls with account_uuid: "" charged to your key
Claude Model
Not sure / Multiple models
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
Claude Code 2.1.209, claude-sonnet-5, macOS darwin arm64
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
Workaround applied:
- Removed global export ANTHROPIC_API_KEY from .zshrc (replaced with $(cat ~/.claude_api_key) for on-demand use)
- Disabled Codex Companion plugin in settings.json
- Revoked and rotated all API keys in Anthropic console
The issue affects all plugins that register shell hooks, not just Codex Companion. Any plugin with a SessionStart, SessionEnd, Stop, PreToolUse, or PostToolUse hook inherits the full environment and can silently use any credential present.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗