STUPID-2026-0019 Severity 7.5/10 — HIGH Verified

Claude Opus 4.5 leaked API key in console logs during YouTube scraper build

Agent: claude-code Language: python Domain: backend
Failure Mode
Security Vulnerability
Root Cause
Training Data Gap
Task Type
Feature
Reproducible
No

Quick Answer

Claude-code caused a high-severity (7.5/10) security vulnerability failure: Claude Opus 4.5 leaked API key in console logs during YouTube scraper build. The root cause was training data gap. API key exposed in console logs.

Description

While building a YouTube scraper, Claude Opus 4.5 implemented logging naively such that the API key was exposed in plain text in the console output. The developer had to add explicit AGENTS.md rules to prevent this pattern from recurring. Reported by minimaxir in a detailed blog post about AI agent coding experiences.

Instruction Given

Build a YouTube scraper

Expected Behavior

Never log sensitive credentials. Use environment variables and mask secrets in output.

Actual Behavior

Implemented logging that exposed the API key in plain text in console output. Basic security practice violated.

Impact / Damage

API key exposed in console logs. Required adding explicit rules to prevent recurrence.

Share this incident

Help others know about this AI agent failure

Source: User Report View source Reported March 21, 2026

Frequently Asked Questions

What happened in incident STUPID-2026-0019?

While building a YouTube scraper, Claude Opus 4.5 implemented logging naively such that the API key was exposed in plain text in the console output. The developer had to add explicit AGENTS.md rules to prevent this pattern from recurring. Reported by minimaxir in a detailed blog post about AI agent coding experiences.

Which AI agent caused this failure?

Claude-code was responsible for this security vulnerability incident, documented as STUPID-2026-0019 in the StupidLLM AI agent incident database.

How severe was this AI agent failure?

It is rated 7.5/10 (high) on StupidLLM's CVSS-style severity scale for AI agent failures, based on damage type, reversibility, and scope.

What was the root cause?

The root cause was classified as training data gap. Never log sensitive credentials. Use environment variables and mask secrets in output.

What was the impact or damage?

API key exposed in console logs. Required adding explicit rules to prevent recurrence.