What files should you never paste into ChatGPT or Claude?
Pasting files into an AI tool can feel harmless. You are just trying to summarize a document, debug a config, or get help with a messy export.
The risky part is that files are rarely as clean as they look. A README can mention a private endpoint. A log can contain a bearer token. A spreadsheet can include customer email addresses. A config file can hold credentials you forgot were there.
Before you paste anything into ChatGPT, Claude, Gemini, a coding agent, or an internal AI tool, treat the file like something you are about to email outside your company. If that thought makes you hesitate, review it first.
The short rule
Never paste a file into an AI tool until you know what is inside it.
If the file contains secrets, private customer data, legal material, unreleased business information, or internal system details, redact it or leave it out.
That does not mean you can never use AI with real work. It means the context needs to be prepared intentionally instead of dumped raw.
1. Environment files and configs
Files like .env, .env.local, config.yml, settings.py, and deployment manifests are some of the riskiest files to paste raw.
They often contain:
- API keys.
- Database URLs.
- Private hostnames.
- OAuth secrets.
- Webhook signing secrets.
- Cloud provider credentials.
If you need AI help with a config, replace real values with placeholders first.
DATABASE_URL=[REDACTED] STRIPE_SECRET_KEY=[REDACTED] INTERNAL_API_HOST=[REDACTED]
The model usually needs the structure, not the real secret value.
2. API keys, tokens, and private keys
Do not paste raw API credentials into an AI tool. This includes obvious secrets and less obvious authentication material:
- Bearer tokens.
- JWTs.
- GitHub tokens.
- Stripe keys.
- OpenAI, Anthropic, or other model-provider keys.
- AWS access keys.
- Private SSH keys.
- Private certificate keys.
A good rule: if the value proves identity, grants access, signs requests, decrypts data, or lets someone spend money, it should not be pasted.
3. Customer data and personal information
Spreadsheets, support exports, CRM dumps, invoices, and analytics CSVs often contain personal data even when the task sounds harmless.
Watch for:
- Names and email addresses.
- Phone numbers.
- Addresses.
- Account IDs tied to real users.
- Payment or invoice details.
- Support conversations.
- Medical, legal, financial, or employment-related notes.
If the model only needs patterns, remove direct identifiers. Replace names with roles, emails with placeholders, and exact account IDs with stable fake IDs.
4. Contracts, legal documents, and financial files
AI tools are useful for summarizing dense documents, but contracts and financial files deserve extra caution.
Be careful with:
- Unsigned agreements.
- Customer contracts.
- Vendor terms.
- Acquisition or fundraising documents.
- Payroll exports.
- Tax files.
- Bank statements.
- Forecasts and board materials.
For many use cases, you can paste only the clause or section you need help understanding. Keep names, amounts, dates, and parties out unless they are essential to the task.
5. Logs and error reports
Logs look technical, so people often treat them as safe. They are not always safe.
Application logs can contain:
- Session IDs.
- Request headers.
- Authorization values.
- IP addresses.
- User emails.
- Internal URLs.
- Stack traces that reveal infrastructure.
Before pasting logs, search for terms like authorization, token, cookie, password, secret, apikey, email, and session.
6. Source code from private projects
Private source code is not automatically unsafe to use with AI, but it should be prepared. A whole repository can contain far more than the files relevant to your question.
Avoid blindly pasting:
- Generated files.
- Build outputs.
- Dependency folders.
- Private business logic unrelated to the task.
- License keys or paid SDK credentials.
- Test fixtures with real customer data.
For coding help, a smaller, labeled context pack is usually better than a giant raw paste. Include the files that explain the bug or feature and leave unrelated material out.
7. Raw exports from databases, analytics, and support tools
Exports are dangerous because they combine scale with low visibility. One CSV can contain thousands of rows of data you would never paste manually.
Before sharing an export with AI, ask:
- Does this include direct identifiers?
- Does the task need every row?
- Can I aggregate the data first?
- Can I sample or anonymize the rows?
- Can I remove columns that are irrelevant?
For many analysis tasks, totals, categories, anonymized rows, or a small representative sample are enough.
A practical checklist before using AI
Use this quick review before you paste or upload files:
| Check | What to do |
|---|---|
| Secrets | Remove API keys, tokens, passwords, private keys, and database URLs. |
| People | Remove names, emails, phone numbers, addresses, and account identifiers unless truly needed. |
| Business | Remove unreleased plans, pricing, contracts, payroll, forecasts, and negotiation details. |
| Infrastructure | Redact internal hosts, private endpoints, request headers, and stack traces that reveal too much. |
| Relevance | Exclude files, rows, columns, or sections that do not help answer the question. |
How MarkDone helps
MarkDone's AI Context Builder is designed for this preparation step. It lets you drop PDFs, DOCX files, Markdown, JSON, YAML, CSV, and text files into your browser, then builds one structured context.md file.
It also helps you review the handoff before you paste it into an AI tool:
- Files are processed locally in the browser.
- Source boundaries stay visible.
- Common secrets are detected.
- Redaction can be enabled before export.
- Token count is estimated before you copy.
- Files can be left out if they are not relevant.
Open AI Context Builder
What is safe to paste?
Safe depends on your situation, but these are usually better candidates:
- Public documentation.
- Open-source code.
- Redacted configs.
- Anonymized examples.
- Small excerpts from a larger document.
- Synthetic sample data.
- Summaries you wrote yourself.
The strongest workflow is not "never use AI." It is "prepare the context first."
Final takeaway
AI tools are useful because they can reason over messy material. That does not mean you should give them messy material raw.
Review the files, remove secrets, redact personal data, cut irrelevant sections, and keep source boundaries clear. The result is safer for you and easier for the model to use.
For a broader look at file privacy, read what really happens when you upload a file. For a full context workflow, see how to build an LLM context pack from local files.