DEV Community

Svn
Svn

Posted on

I leaked my GH token to Claude

#opensource #security #beginners #ai

A few weeks ago, I was debugging an issue in my personal project with Claude Code, which had access to my terminal output as context. We worked through it and were done with it.

Later that night, I noticed an innocent-looking GH token in my shell history from an earlier manual test, just sitting there, waiting for me to notice. Well, damn, I fell into a well-known pothole.

Agentic CLIs read your shell, and your shell isn't clean

Claude Code, Aider, OpenCode, and similar agentic terminal tools all work the same way: they consume shell output as context. You run a command, the agent reads what comes back, and that visibility is what makes them useful for real debugging work.

The same property is what makes them risky for credential hygiene. Real terminals contain debug curl tests, environment dumps, error stack traces with connection strings, and log lines with tokens, none of which gets filtered before the agent ingests it. "Ingests" can mean a context window, a server log, a fine-tuning dataset, or a future suggestion to someone else.

There is no warning prompt before any of that happens. These tools are designed primarily to consume context efficiently, with input filtering treated as out of scope.

What I did after

After rotating the token, I thought to myself "It's more than likely another shoot-myself-in-the-foot will happen. Better to start wearing steel toes". So, after that, I built something to prevent another incident.

Redacted is a small CLI tool that masks sensitive patterns in piped output before they reach whatever is downstream.

⎿  PostToolUse:Bash hook returned blocking error


             ⎿  [redacted] 1 secret(s) scrubbed from command output.
Enter fullscreen mode Exit fullscreen mode 
some-command-with-secrets | redacted scrub
Enter fullscreen mode Exit fullscreen mode

It catches AWS keys, GitHub tokens, Anthropic keys, OpenAI keys, Stripe keys, Slack tokens, Twilio credentials, and a few others. Specific values can be whitelisted if you do not want them masked.

Install instructions:

brew tap svn-arv/tap
brew install redacted
redacted init
Enter fullscreen mode Exit fullscreen mode

Details at github.com/svn-arv/redacted

It covers the common credential patterns automatically, but right now it is wired for terminal piping, though I plan to extend coverage to other common IDE/Text Editor AI tools like Cursor over time. Knowing what you are piping through still matters though, since no pattern matcher catches everything.

Top comments (0)