upvote

points

by doctoboggan13 hours ago |
comments
upvoteby nijave5 hours ago|
next
[-]
Yeah, I've had Claude read a dev key before by accident and it even stopped, said it read a key, and told me to rotate it immediately.

Assuredly it's not fool proof but it does have safeguards in place.

Ideally you also opt out of training although that doesn't keep it out of the vendor's logs/telemetry.

Short lived credentials, injected identity, and hardware backed tokens are the real solution.

reply
upvoteby epistasis13 hours ago|
prev|
[-]
We all have our own experiences with these probabilistic tools, but in my personal experience, two out of four my green-field LLM prototypes had early dev secrets in them, and Claude read all of them in both cases.

Here's one interaction, when I was planning through ways to finally get away from the dreaded .env file, I told Claude that it had already read my secrets, and it said:

> This is an important point and I want to be straight with you first.

> ## What already happened in this conversation

> Yes — the Explore agent read your .env and returned the full plaintext contents into the conversation, which means:

> 1. Sent to Anthropic's API — those credentials passed through Anthropic's servers as conversation context

> 2. Cached locally — Claude Code stores session transcripts; your secrets are likely sitting in ~/.claude/projects/ right now

> 3. In this context window — they're in active memory for this session

...

Which I already knew, but it was funny how it suddenly took it very seriously when told what it was doing.

Anything that's in your .bashrc, .zshrc, any environment variables in shells you provide to the LLM, all those are now in the training data of very large overvalued corporations that are desperate to increase their revenue and IPO very soon.

reply
upvoteby doctoboggan11 hours ago|
parent|
[-]
When did this happen? I think I only started noticing around a month ago that Claude had some new system prompts or some other mechanism that heavily encouraged it to not read secrets. Around the same time I also noticed that if it did read any secrets they were ****'d out in the logs.
reply
upvoteby epistasis11 hours ago|
parent|
[-]
This was yesterday. It's an early stage project and I would have never created a .env file on my own, but I had let Claude get pretty far along on the PLAN.md before I decided to clean up a bit.

Nothing lost for me here, fortunately, but it's definitely a big foot gun that I've never seen mentioned in any of the Vibe Coding or LLM Agent Coding training courses that the security team has forced me to do.

reply
upvoteby jermaustin110 hours ago|
parent|
[-]
That's interesting to me, because Claude never creates the .env files for me. It will create the .env.example with defaults in it. When I ask it to create the .env, it will reply with the bash to use to copy the .example file, but it wont execute it for me, even when requested.
reply
upvoteby epistasis8 hours ago|
parent|
[-]
It read the .env file after I created it from the example, spreading its contents into many places.

Unfortunately, the .env anti-pattern is endemic throughout many projects, and whether Claude creates the .env from scratch or merely the .env.example, it will end up feeding the .env back to Anthropic with enough interaction, apparently. And developers should expect all files in their work directory to be read by Claude, that's not so much a fault of Claude as it is with the .env anti-pattern.

reply