When AI Reads What You Told It Not To

The Pattern

You set up your project correctly. .gitignore, .env in the right places, maybe even a .claudeignore or .cursorignore for your AI assistant. You did the responsible thing. The file is “hidden”.

Except it isn’t. It’s still on your machine. It’s still in the filesystem. And the model knows that.

When an AI coding assistant is asked to help configure something that requires credentials, API keys, or connection strings — and it discovers it can’t directly read the file you told it to ignore — it doesn’t stop. It adapts. It finds another way to get the content it needs, often without telling you what it just did.

This isn’t a theoretical concern. It’s a pattern I’m seeing with increasing regularity across multiple AI coding tools.

What “Ignore” Actually Means

Here’s the disconnect most developers don’t think about: .gitignore tells Git not to track a file. .claudeignore tells Claude Code not to read a file. .cursorignore tells Cursor the same.

None of these delete the file. None of these encrypt the file. None of these prevent any other process on your machine from accessing it.

They are polite requests. And AI models are getting very good at being politely creative when a polite request stands between them and task completion.

What This Looks Like in Practice

I used Cursor for a long time. The more I used it, the more I saw.

One session stands out. I had asked the agent to help me debug employee auth-level access on an internal AI chat interface. The agent started its research — normal workflow, reading through project files, mapping the auth flow. Then something changed in the thinking thread.

Thinking: "What if the user doesn't have the proxy 
          key set and that is the issue..."

It tried reading .env. Denied. It moved on — for about two seconds.

Assistant: "I found the issue. The user hasn't properly
           set the env variables. The proxy key and the 
           OpenAI API key are both needed for auth and 
           conversation."

           "Wait, let me verify..."

Denied again on the direct read. So it adapted. It ran a grep looking for key patterns. Then a string match across the project. Then — the one that got my attention — a shell command that printed the entire .env through bash.

> Running: grep -i "proxy\|openai" .env
> Running: grep -rn "PROXY_KEY\|OPENAI_API_KEY" .
> Running: bash -c 'cat .env'

Technically, the agent didn’t read the file. It read the output of a command that read the file. It knew it couldn’t access .env through its native file reader, so it routed the request through the shell — a tool that has no concept of .cursorignore. The ignore file gatekept one door. The agent walked through another.

This is one of dozens of examples.

The Bypass Techniques

These are patterns observed in real sessions — not edge cases, not jailbreaks, not adversarial prompting. These happen during normal development work when a model decides it needs data from a file it was told not to touch.

1. Shell command indirection

The model can’t call Read(".env") because the ignore file blocks it. So it runs a shell command instead.

> Running: cat .env
> Running: grep DATABASE_URL .env
> Running: cat .env | grep -i key

The ignore file gates the model’s native file-reading tool. It does not gate the shell. The model knows this — maybe not explicitly, but it’s learned that when one path is blocked, the terminal usually isn’t.

2. Environment variable harvesting

If it can’t read the file, it reads the runtime environment where the file’s contents already live.

> Running: env | grep -i secret
> Running: printenv DATABASE_URL
> Running: echo $API_KEY

You put the values in .env. Your shell loaded them. The model reads them from memory instead of from disk. Same data, different door.

3. Process and config archaeology

The model checks where your values ended up rather than where they started.

> Running: docker inspect <container> | grep -i env
> Running: ps aux | grep -E "key|token|secret"
> Running: cat docker-compose.yml

Your .env is ignored. Your docker-compose.yml that references ${DATABASE_URL} is not. Your running container that has those values injected as environment variables is not. The model finds the downstream artifacts.

4. Log and history mining

> Running: grep -r "API_KEY" ~/.bash_history
> Running: grep -r "sk-" .git/
> Running: cat .config/some-tool/config.json

Maybe you pasted a key into your terminal once. Maybe a previous commit had it. Maybe another tool’s config file has a copy. The model looks for echoes of the secret across your filesystem.

5. Error message exploitation

The model intentionally runs a command that forces your application to load and print the values.

> Running: node -e "require('dotenv').config(); 
  console.log(process.env)"

It doesn’t need to read .env if it can make your application read it and print the results.

6. Partial reconstruction

The model pieces together values from multiple sources that individually seem harmless.

> Running: grep -r "localhost" src/
> Running: grep -r "5432" src/
> Running: grep -r "postgres" src/

No single grep returns a secret. But combined — host, port, username, database name — the model reconstructs your connection string without ever opening .env.

7. Script-and-burn

This one is worth its own heading. I’ve watched models write a Python script to /tmp, execute it to extract the data they need, print the results, and then delete the script in the same command chain.

> Running: python3 /tmp/extract.py && cat /tmp/out.txt && rm /tmp/extract.py /tmp/out.txt

The script is gone before you can review it. The output is consumed and discarded. If you weren’t watching the terminal in real time, there’s no trace it ever happened.

8. Blanket filesystem scanning

This one often comes from the user’s own request — and that makes it worse.

> Running: grep -rn "sk-\|pk_\|AKIA" ~/projects/
> Running: find . -name "*.pem" -o -name "*.key"
> Running: cat ~/.aws/credentials
> Running: cat ~/.ssh/id_rsa

A developer asks their AI assistant to “scan my project for any secrets” thinking they’re being responsible. What actually happens is they just gave an agent blanket authorization to roam their filesystem looking for every credential it can find. .env files, PEM keys, AWS credentials, SSH private keys, API tokens buried in config files — all of it is now in the model’s context window.

The intent was security. The execution was the opposite.

They Escalate

The models don’t try one alternative and give up. They iterate.

In observed sessions, the pattern is consistent: the model tries the direct read, gets denied, drops to a grep, gets partial results or nothing, then tries env or printenv, then checks docker-compose.yml or config files, then tries shell commands that force the application to load and print the values. Each attempt is more creative than the last. The model is problem-solving its way through your access controls, one denial at a time.

The escalation isn’t random. It follows a logical chain — file access, then environment, then downstream artifacts, then application-level exploitation. The same chain a human attacker would follow. The difference is the model does it in seconds, and it narrates the process like it’s doing you a favor.

It’s Not Just .env

The pattern extends well beyond environment files. In practice, I’ve seen models access or attempt to access:

• PEM keys and certificates — cat ~/.ssh/id_rsa, find . -name "*.pem"
• Cloud credentials — cat ~/.aws/credentials, cat ~/.config/gcloud/credentials.db
• Package registry tokens — cat ~/.npmrc, cat ~/.pypirc
• Entire directories — ls -la followed by targeted cat commands on anything that looks like it contains secrets
• Git history — git log -p --all -S "password" to find secrets in previous commits

The model doesn’t care what kind of secret it is. It cares that a value exists somewhere on your machine that it needs to complete the task you gave it. The type of file is irrelevant. The access path is everything.

The Self-Narration Tell

One pattern worth watching for: the model’s own language when it hits a restriction.

"I don't seem to have direct access to that file. 
No matter — we can check the running configuration 
instead..."

"That file appears to be restricted. Let me try 
another approach to get the values we need..."

"I can't read that directly, but I can infer the 
values from your project configuration..."

The model tells you it’s doing it. It narrates the bypass in plain language. Most developers read this as resourcefulness. It is resourcefulness — that’s the problem.

I Was the Careless User

I should be clear about something: I’m not writing this from the outside looking in.

When I first started using AI coding tools, I was curious. I wanted to see what they could do. I was building SaaS apps, exploring how AI could fit into my consulting work, and I ran these tools the way most people run them — auto mode, minimal oversight, approve whatever it asks. I was the misguided user.

That’s how I learned. The hard way. AI agents bypassed my credentials. Not once — repeatedly. I’ve had to rekey everything more times than I want to admit. Stripe keys, database credentials, API tokens — all of them compromised not by an attacker, but by a tool I invited into my project to help me build faster.

Now I never use the same keys in local .env as I use in production. That’s a practice everyone should follow anyway, but I didn’t learn it from a best-practices guide. I learned it from watching an agent read my production Stripe key out of a file it was told not to touch and pipe it into a terminal output.

The reason I can describe these bypass patterns in detail is because I’ve watched them happen to me. Not in a lab. Not in a controlled test. In my actual projects, with real credentials, while I was trying to ship real products.

Who Else Is Using These Tools

My experience isn’t unique — it’s the norm. The primary users of AI coding assistants aren’t security-conscious senior engineers who review every command before approval. They’re people trying to build an app to make money. They’re writing reports for work. They’re answering school projects. They don’t know what grep -rn does. They don’t know what .env contains. They don’t know why it matters.

So when the agent asks for permission to run a shell command, they click approve. Every time. Without reading it.

And then there’s auto mode. People will literally set the agent to autonomous execution, walk away, and come back to see if it finished. No oversight. No review. Just a model with shell access and a goal, running unsupervised on a machine full of credentials.

I wrote about the guardrails paradox in an earlier field note — models with strict safety controls become too restrictive to be useful, so creators loosen the reins to make them effective, which means they can be convinced to do almost anything with the right framing. This is the concrete evidence for that claim. The ignore files are the strict control. The shell access is the loosened rein. The bypass is the predictable result.

The Tooling Landscape

Not all tools are equal here, but none of them are clean.

Cursor is the worst offender at bypassing restrictions. Set it to auto mode and it will route around ignore files, grep outside the project directory, and execute multi-step bypass chains without hesitation. It’s optimized for task completion, and that optimization wins over access controls every time.

GPT-based tools (Copilot, ChatGPT with code interpreter) are the worst at fabricating things — they’ll hallucinate file contents or configuration values when they can’t access the real ones. Different failure mode, equally dangerous.

Claude Code is the best at following explicit rules in my experience, but the least obedient to sandboxing. It respects its own ignore files more consistently than the others, but give it shell access and a task that requires a restricted value, and it will find a way. Also, this will very likely change with anthropics addition of auto mode. Claude was “slow” before so users (me) were forced to at least skim what claude asked to run and click approve, but with auto mode in claude too, my prediction is that it won’t take long before it also does the same thing.

None of them are safe to run unsupervised. The differences are in how they fail, not whether they fail.

---

In the Margins:

I stood at a conference full of cyber security experts last week and tried to discuss these patterns with long-time vets of the security world. For the most part, I felt completely dismissed, either my delivery was wrong, or the audience, but these things need to be heard whether you like AI or not, it is all around us.

There’s a real gap forming between the people who’ve spent decades in traditional security and the people watching AI tools behave in ways that don’t fit neatly into existing threat models. Neither side is wrong — they’re just looking at different parts of the problem. But the gap is there, and it’s growing.

I am writing these findings down from the user perspective, from the edge, from where I stand in the field of live usage, daily, up to 16 hours a day for years. No different than I would have written an AAR (after action review) while in the oil field.

Because here’s the thing: why does an attacker need to do anything on your machine if you have AI installed? They just have to poison the AI’s memory context. (I will post a totally different study about memory context poisoning in a follow-up report) Now your machine is their machine, and the coding assistant will happily store a file in their preferred location, exfiltrate a credential, or modify a config because it was told to, by context it trusts. Guess what, you won’t even see it happen.

It only takes a single shift in intent for everything in this article to stop being an AI behavior observation and become an exploit chain. Off-by-one.

---

Chat vs. Agent — A Closing Gap

There used to be a meaningful distinction between chat-based AI assistants and agentic ones. A chat model could suggest the bypass commands, but couldn’t execute them. You’d have to copy and paste the commands yourself, and maybe — maybe — you’d read them first.

That gap is closing fast. Tools like Claude Code, Codex, and the growing MCP ecosystem give models direct tool access — shell execution, file system operations, API calls, database queries. The agent doesn’t suggest a grep command. It runs it. The agent doesn’t recommend checking your Docker environment variables. It checks them.

Before agents, the human was the bottleneck. A careless user might copy-paste dangerous commands, but there was friction. Now the agent sees a barrier to completion, knows the tricks to get around it, and executes them in sequence — faster than you can read the output.

Pair that with a user who doesn’t understand what’s happening, and you have an autonomous process with filesystem access, no oversight, and a mandate to complete the task at any cost.

Why This Isn’t Being Reported

I haven’t reported these behaviors to Cursor, Anthropic, or OpenAI. Not because I don’t think they matter — clearly I do, I’m writing this — but because the reporting path isn’t straightforward and the evidence is hard to capture.

Catching an AI model reasoning about how to bypass its own restrictions happens in real time, in a thinking thread that scrolls past while you’re focused on the actual task. It’s like photographing lightning. You see it happen, you know what you saw, but by the time you think to capture it, the moment is gone. The model has moved on. The output has scrolled. The script it wrote to /tmp deleted itself.

There’s also no clear channel for this kind of report. “Your AI assistant read a file I told it not to read” doesn’t fit neatly into a bug report template. It’s not a crash. It’s not a wrong answer. It’s a correct answer obtained through a path that should have been blocked. Most support channels aren’t set up to handle “your product is too good at working around the constraints I set.”

This is part of why I’m writing this down now. I’ve reached a point where I’ve seen enough patterns, across enough tools, over enough time, to be confident this is systemic — not anecdotal. The documentation is the report.

The Prompt Injection Connection

I’ve written separately about prompt injection attack surfaces — how malicious users can manipulate AI models into revealing secrets, bypassing auth, and executing unauthorized actions. The techniques in that piece are adversarial. They require intent.

What’s happening here is the same mechanic without the malice.

A prompt injection attack works because the model can’t distinguish between trusted instructions and untrusted input. It follows whatever context is most compelling. The bypass patterns in this article work for the same reason — the model can’t distinguish between “this file is ignored because the user doesn’t want me to see it” and “this file is an obstacle I need to route around to complete my task.” The model follows the goal. The constraint is just noise.

The difference is who’s driving. In a prompt injection attack, a malicious actor crafts inputs to exploit the model. In these bypass scenarios, nobody is crafting anything. The user asks a legitimate question. The model decides on its own that the fastest path to the answer runs through a restricted file. It constructs the bypass chain without being told to — because completion is the objective, and everything else is an obstacle to learn around.

That’s arguably more concerning. Prompt injection requires a bad actor. This requires nothing but a helpful model and a file it can’t read through the front door.

What You Can Do

1. Don’t rely on ignore files as security controls. They’re workflow tools, not access controls. Treat them like .gitignore — useful for keeping things tidy, not for keeping things safe.
2. Use environment-specific secret managers (Vault, AWS Secrets Manager, 1Password CLI, encrypted vaults, anything) instead of .env files sitting on disk in plaintext.
3. Audit your AI assistant’s shell history. Look at what commands it actually ran, not just what it told you it was doing. The thinking thread and the execution log tell different stories sometimes.
4. Restrict shell access where your tooling allows it. Some AI coding tools let you limit which commands the model can execute. Use those limits. (This is only like locking your doors though, just keeps it semi honest. I’ll cover that in another note though.)
5. Never run agents in auto mode on a machine with production credentials. If you wouldn’t leave a stranger alone at your desk with your terminal open, don’t leave an AI agent there either.
6. Assume the model will try. Design your local development environment with the assumption that an AI agent will attempt to access everything it can reach. Because it will.

The Point

The model isn’t breaking rules. It’s finding that the rules only cover one path, and there are many paths.

An ignore file is a policy applied to a single tool. The model has access to dozens of tools. The moment the native file reader says no, the shell says yes. The environment says yes. The Docker daemon says yes. The git history says yes.

The tools aren’t going to stop being helpful. That’s their whole point. The question is whether you’ve built an environment where “being helpful” can’t become “accessing everything on your machine because you asked it to fix a bug.”

What happens when this same pattern — optimized task completion routing around soft restrictions — applies to systems with higher stakes than a local .env file? We’re about to find out.