Claude Code's Local File Storage Exposes Sensitive Credentials and Session Data, Security Researcher Warns
Key Takeaways
- ▸Claude Code stores memory and session artifacts in plaintext under ~/.claude/projects/ with world-readable permissions, exposing API keys, tokens, and secret references
- ▸Session transcripts can be 30-41 MB in size and persist for months with no automatic deletion, creating a growing attack surface for compromised developer machines
- ▸The files lack application-layer access control and audit trails, relying entirely on filesystem permissions and leaving no record of access or exfiltration attempts
Summary
Security researcher Taariq Lewis has identified significant security vulnerabilities in Claude Code's local memory storage system, revealing that the AI development tool stores sensitive information including API keys, authentication tokens, and session transcripts in plaintext files under ~/.claude/projects/ with weak access controls. The stored artifacts include memory markdown files and JSONL session histories that can be world-readable on multi-user systems, contain references to secret environment variables and bearer tokens, and persist indefinitely with no automatic pruning or retention policies. Lewis demonstrated that developers can verify these exposures themselves using basic file system commands, and notes that the lack of application-layer access control, audit trails, and fragmented portability of project directories compounds the security risk. The research highlights that same-user compromise—a common developer workstation attack vector—could easily lead to exfiltration of credentials and operational procedures stored in these unprotected local files.
- Developers can verify the vulnerability themselves using command-line tools, and should immediately audit their local Claude projects for exposed credentials
Editorial Opinion
This disclosure exposes a critical gap between Claude's capabilities as a developer tool and its maturity as a security-conscious product. Storing credentials and operational procedures in plaintext files with no access control or retention policies is a fundamental security antipattern that puts every developer using Claude Code at risk. While SerenDB's proposed interception layer offers one mitigation path, Anthropic should treat this as an urgent priority—either by fundamentally redesigning how Claude stores sensitive project data or by providing out-of-the-box encryption, audit logging, and automatic credential redaction to safeguard developers' codebases and infrastructure.
