Detailed Analysis
Claude Code, Anthropic's agentic coding assistant, stores complete conversation session histories as unredacted plaintext JSONL files in a local `~/.claude/projects/` directory on users' machines. This behavior, which appears undocumented or at minimum insufficiently disclosed, means that every exchange within a coding session — including user-pasted code, prompts, and potentially sensitive data — is persisted locally in a human-readable structured format. The files are subject to automatic deletion over time, and a compaction feature can summarize long sessions to manage context window limits, but the full plaintext originals remain on disk until that deletion occurs. OAuth tokens used to authenticate with Anthropic's services are stored separately in `~/.claude.json`, and researchers have demonstrated that these tokens can be used to extract detailed session transcripts via private APIs, compounding the exposure surface.
The security implications center on several intersecting risks. While the research context stops short of confirming that discrete secrets such as API keys or credentials are systematically captured and labeled as such, the plaintext nature of these session files means that any sensitive material a developer pastes into a Claude Code session — environment variables, database connection strings, internal API keys — would be written to disk without sanitization or redaction. For developers working in shared environments, on compromised machines, or subject to enterprise endpoint monitoring, this creates an unambiguous data exposure vector. The absence of built-in encryption, access controls, or redaction logic on these cache files represents a meaningful gap between user expectations of ephemeral AI interactions and the actual persistence behavior of the tool.
The community response to this behavior illustrates both the demand for session persistence and the risks created by its unstructured implementation. Developers have built third-party tools such as `claude-vault` — which hooks into `PreCompact` and `SessionEnd` lifecycle events to archive sessions before they are deleted — and `search-sessions`, a Rust-based CLI capable of indexing and searching across session histories in milliseconds. These tools demonstrate that the plaintext JSONL format is practically useful for developers who want auditability and recall, but also confirm that the data is fully accessible without any authentication or decryption step on the local filesystem. A separate but related issue involves a "magic string" that, if injected into session history through untrusted input, can trigger systematic refusals from Claude — a form of prompt-poisoning denial-of-service that becomes more dangerous precisely because session histories persist and are replayed into future context windows.
This situation fits into a broader and accelerating pattern of security scrutiny applied to agentic AI developer tools. As tools like Claude Code, GitHub Copilot, and similar assistants become deeply embedded in software development workflows, they increasingly interact with codebases, terminals, and credentials that represent high-value targets. The security model for these tools has generally lagged behind their capability growth: they are designed for developer productivity and frequently lack the hardened data handling practices expected of tools that touch production secrets and infrastructure. Anthropic is not unique in this regard, but as the operator of one of the most widely used agentic coding environments, the plaintext caching behavior in Claude Code is emblematic of an industry-wide need to treat session data as sensitive by default rather than as a convenience feature.
The disclosure also raises questions about informed consent and transparency in AI product design. Developers using Claude Code may reasonably assume that their sessions are transient or that any local storage is handled with appropriate care. The undocumented nature of the `~/.claude/` directory — and the fact that community members discovered and began building around it independently — suggests that Anthropic has not proactively communicated the persistence model to its users. As regulatory frameworks such as the EU AI Act and various national data protection regimes increasingly scrutinize how AI systems handle user data, the gap between documented behavior and actual data handling practices is likely to become not just a security concern but a compliance liability for both Anthropic and the enterprise customers deploying Claude Code in professional environments.
Read original article →