.png)
4 months ago
35
Claude Code is actively capturing and storing highly sensitive user input, including partial and unsent keystrokes, alongside plaintext OAuth account metadata (email, user IDs, organization IDs), all within its ~/.claude.json file. This behavior has been specifically verified on Windows Subsystem for Linux (WSL) environments.
The ~/.claude.json file grows indefinitely, creating an unencrypted, detailed log of user interactions and sensitive information. The OAuth metadata storage is particularly egregious as it's completely unnecessary after initial authentication - the app remains logged in even when this data is removed, meaning user emails are being stored alongside partial keystrokes for no functional reason.
For a full technical breakdown, and a temporary mitigation script, please see my claude-privacy-cleaner repository.
