STUPID-2026-0019 Severity 7.5/10 — HIGH Verified

Claude Opus 4.5 leaked API key in console logs during YouTube scraper build

Agent: claude-code Language: python Domain: backend

Failure Mode

Security Vulnerability

Root Cause

Training Data Gap

Task Type

Feature

Reproducible

Description

While building a YouTube scraper, Claude Opus 4.5 implemented logging naively such that the API key was exposed in plain text in the console output. The developer had to add explicit AGENTS.md rules to prevent this pattern from recurring. Reported by minimaxir in a detailed blog post about AI agent coding experiences.

Instruction Given

Build a YouTube scraper

Expected Behavior

Never log sensitive credentials. Use environment variables and mask secrets in output.

Actual Behavior

Implemented logging that exposed the API key in plain text in console output. Basic security practice violated.

Impact / Damage

API key exposed in console logs. Required adding explicit rules to prevent recurrence.

Share this incident

Help others know about this AI agent failure

Post on X LinkedIn Reddit

Source: User Report View source Reported March 21, 2026

Related claude-code Incidents

STUPID-2026-0003 10.0/10

Claude Code ran rm -rf on test fixtures thinking they were temp files

STUPID-2026-0008 2.1/10

Claude Code hallucinated a non-existent npm package and installed it