start_review response leaks raw PII into Claude's context before HITL approval #2
{{ message }}
start_review response leaks raw PII into Claude's context before HITL approval #2
Summary
The
start_reviewMCP tool response includes a field calledoriginal_textthat contains the fully unredacted source document text, with all PII in the clear. It also containsentitiesand other unredacted content from the original document. This text is returned as part of the tool result and therefore enters Claude's context window before the user has had any opportunity to review or approve the anonymization, mitigating the primary goal of PII redaction.Reproduction Steps
Use the attached demo file: pii-leak-demo-contract.txt - a short fake contract between John Doe of ACME, Inc. and Alice Bob of Fake, LLC, containing names, emails, phone numbers, and addresses.
Open Claude Desktop (Cowork mode). Invoke the skill:
Type
go/continuewhen prompted.Claude calls
list_entities(NER warm-up), thenanonymize_file(both are fine)Claude calls
start_review(session_id: "<id>")and show the HITL iframe. Do not approve it.In the Claude Desktop app, expand the
PII Shield v2-->start_reviewtool call response.You will see the following fields in the raw JSON:
-
entities- placeholders paired with PII-
original_text- the full unredacted document with all PII-
html_text- also includes the unredacted name in the last paragraph (depends on doc content)Ask Claude, without asking it to read any file:
Claude will correctly name John Doe / ACME, Inc. and Alice Bob / Fake, LLC from the
original_textit received in step 4, before HITL approval was ever clicked.Expected Behavior
PII is never leaked into Claude context.
Actual Behavior
start_reviewreturnsentitieswith unredacted PII andoriginal_textin full. Example from a real session:Example `start_review` JSON response
{ "status": "review_ready", "version": "2.0.2", "sessions": [ { "session_id": "2026-05-11_173421_f7ea", "doc_id": "mp1pz23r-c33fa9", "entities": [ { "text": "John Doe", "type": "PERSON", "start": 139, "end": 147, "score": 0.8, "placeholder": "<PERSON_1>" }, { "text": "ACME, Inc", "type": "ORGANIZATION", "start": 183, "end": 192, "score": 0.7, "placeholder": "<ORG_1>" }, { "text": "123 Main Street, Springfield, IL 62701", "type": "LOCATION", "start": 258, "end": 296, "score": 0.65, "placeholder": "<LOCATION_1>" }, { "text": "john.doe@acme.com", "type": "EMAIL_ADDRESS", "start": 305, "end": 322, "score": 1, "placeholder": "<EMAIL_1>" }, { "text": "555-867-5309", "type": "PHONE_NUMBER", "start": 331, "end": 343, "score": 0.9, "placeholder": "<PHONE_1>" }, { "text": "Alice Bob", "type": "PERSON", "start": 356, "end": 365, "score": 0.8, "placeholder": "<PERSON_2>" }, { "text": "Fake, LLC", "type": "ORGANIZATION", "start": 401, "end": 410, "score": 0.7, "placeholder": "<ORG_2>" }, { "text": "456 Elm Avenue, Los Angeles,\nCA 90001", "type": "LOCATION", "start": 491, "end": 528, "score": 0.65, "placeholder": "<LOCATION_2>" }, { "text": "alice.bob@fake.llc", "type": "EMAIL_ADDRESS", "start": 537, "end": 555, "score": 1, "placeholder": "<EMAIL_2>" }, { "text": "555-212-1234", "type": "PHONE_NUMBER", "start": 564, "end": 576, "score": 0.9, "placeholder": "<PHONE_2>" }, { "text": "SERVICES ACME, Inc", "type": "ORGANIZATION", "start": 584, "end": 603, "score": 0.7, "placeholder": "<ORG_1a>" }, { "text": "Fake, LLC as", "type": "ORGANIZATION", "start": 655, "end": 667, "score": 0.35, "placeholder": "<ORG_2a>" }, { "text": "John Doe", "type": "PERSON", "start": 692, "end": 700, "score": 0.8, "placeholder": "<PERSON_1>" }, { "text": "ACME, Inc", "type": "ORGANIZATION", "start": 749, "end": 758, "score": 0.35, "placeholder": "<ORG_1>" }, { "text": "Alice Bob", "type": "PERSON", "start": 765, "end": 774, "score": 0.8, "placeholder": "<PERSON_2>" }, { "text": "Fake, LLC", "type": "ORGANIZATION", "start": 823, "end": 832, "score": 0.35, "placeholder": "<ORG_2>" }, { "text": "ACME, Inc", "type": "ORGANIZATION", "start": 868, "end": 877, "score": 0.35, "placeholder": "<ORG_1>" }, { "text": "John Doe", "type": "PERSON", "start": 1032, "end": 1040, "score": 0.8, "placeholder": "<PERSON_1>" }, { "text": "ACME, Inc", "type": "ORGANIZATION", "start": 1698, "end": 1707, "score": 0.35, "placeholder": "<ORG_1>" }, { "text": "John Doe", "type": "PERSON", "start": 1713, "end": 1721, "score": 0.8, "placeholder": "<PERSON_1>" }, { "text": "CEO Fake, LLC", "type": "ORGANIZATION", "start": 1729, "end": 1743, "score": 0.35, "placeholder": "<ORG_2b>" }, { "text": "Alice Bob", "type": "PERSON", "start": 1748, "end": 1757, "score": 0.8, "placeholder": "<PERSON_2>" } ], "original_text": "CONFIDENTIAL SERVICE AGREEMENT\n\nThis Service Agreement (the \"Agreement\") is entered into as of January 15, 2025, by and between:\n\nParty A: John Doe, an individual acting on behalf of ACME, Inc., a Delaware corporation\nwith its principal place of business at 123 Main Street, Springfield, IL 62701\n(email: john.doe@acme.com; phone: 555-867-5309).\n\nParty B: Alice Bob, an individual acting on behalf of Fake, LLC, a California limited\nliability company with its principal place of business at 456 Elm Avenue, Los Angeles,\nCA 90001 (email: alice.bob@fake.llc; phone: 555-212-1234).\n\n\n1. SERVICES\n\nACME, Inc. agrees to provide software consulting services to Fake, LLC as described in\nExhibit A. John Doe shall serve as the primary point of contact for ACME, Inc., and\nAlice Bob shall serve as the primary point of contact for Fake, LLC.\n\n\n2. PAYMENT\n\nFake, LLC shall pay ACME, Inc. a fixed fee of $10,000 USD per month, due on the first\nbusiness day of each calendar month. Payments shall be remitted to the bank account\ndesignated by John Doe in writing.\n\n\n3. TERM AND TERMINATION\n\nThis Agreement commences on January 15, 2025 and continues for twelve (12) months\nunless earlier terminated. Either party may terminate upon thirty (30) days' written\nnotice to the other.\n\n\n4. CONFIDENTIALITY\n\nEach party agrees to keep confidential all non-public information received from the\nother party. This obligation survives termination for a period of three (3) years.\n\n\n5. GOVERNING LAW\n\nThis Agreement shall be governed by the laws of the State of Delaware, without regard\nto its conflict-of-law principles.\n\n\nIN WITNESS WHEREOF, the parties have executed this Agreement as of the date first\nwritten above.\n\nACME, Inc.\nBy: John Doe\nTitle: CEO\n\nFake, LLC\nBy: Alice Bob\nTitle: Managing Member\n", "anonymized_text": "CONFIDENTIAL SERVICE AGREEMENT\n\nThis Service Agreement (the \"Agreement\") is entered into as of January 15, 2025, by and between:\n\nParty A: <PERSON_1>, an individual acting on behalf of <ORG_1>., a Delaware corporation\nwith its principal place of business at <LOCATION_1>\n(email: <EMAIL_1>; phone: <PHONE_1>).\n\nParty B: <PERSON_2>, an individual acting on behalf of <ORG_2>, a California limited\nliability company with its principal place of business at <LOCATION_2> (email: <EMAIL_2>; phone: <PHONE_2>).\n\n\n1. <ORG_1a>. agrees to provide software consulting services to <ORG_2a> described in\nExhibit A. <PERSON_1> shall serve as the primary point of contact for <ORG_1>., and\n<PERSON_2> shall serve as the primary point of contact for <ORG_2>.\n\n\n2. PAYMENT\n\nFake, LLC shall pay <ORG_1>. a fixed fee of $10,000 USD per month, due on the first\nbusiness day of each calendar month. Payments shall be remitted to the bank account\ndesignated by <PERSON_1> in writing.\n\n\n3. TERM AND TERMINATION\n\nThis Agreement commences on January 15, 2025 and continues for twelve (12) months\nunless earlier terminated. Either party may terminate upon thirty (30) days' written\nnotice to the other.\n\n\n4. CONFIDENTIALITY\n\nEach party agrees to keep confidential all non-public information received from the\nother party. This obligation survives termination for a period of three (3) years.\n\n\n5. GOVERNING LAW\n\nThis Agreement shall be governed by the laws of the State of Delaware, without regard\nto its conflict-of-law principles.\n\n\nIN WITNESS WHEREOF, the parties have executed this Agreement as of the date first\nwritten above.\n\n<ORG_1>.\nBy: <PERSON_1>\nTitle: <ORG_2b>\nBy: <PERSON_2>\nTitle: Managing Member\n", "html_text": "", "overrides": { "remove": [], "add": [] }, "approved": false, "source_filename": "pii-leak-demo-contract.txt" } ], "count": 1, "is_bulk": false }