E2001. Credential leak detected in tool output
Severity: ERROR. Class:
CredentialLeakBlocked(subclass ofRuntimeError).
What happened
The credential leak handler scanned an agent tool output (stdout,
stderr, file-read body, or grep match) and found one or more
high-confidence credential matches. The configured action was
block, so the SDK raised CredentialLeakBlocked rather than
letting the credential reach the agent's prompt or downstream log.
The audit rows are written before the exception is raised, so the operator dashboard always sees the detection event.
How to fix
Rotate the leaked credential immediately, then either allowlist
the pattern_id for this org (if the match is a known false
positive) or set the per-org override to redact so future
matches mask the value in-place rather than aborting the call.