diff --git a/packages/opencode/src/tool/read.ts b/packages/opencode/src/tool/read.ts
index 4d8e15bf..fc33463a 100644
--- a/packages/opencode/src/tool/read.ts
+++ b/packages/opencode/src/tool/read.ts
@@ -11,6 +11,7 @@ import { Provider } from "../provider/provider"
 import { Identifier } from "../id/id"
 import { Permission } from "../permission"
 import { Agent } from "@/agent/agent"
+import { iife } from "@/util/iife"
 
 const DEFAULT_READ_LIMIT = 2000
 const MAX_LINE_LENGTH = 2000
@@ -48,6 +49,19 @@ export const ReadTool = Tool.define("read", {
       }
     }
 
+    const block = (() => {
+      const whitelist = [".env.example", ".env.sample"]
+
+      if (whitelist.some((w) => filepath.endsWith(w))) return false
+      if (filepath.includes(".env")) return true
+
+      return false
+    })()
+
+    if (block) {
+      throw new Error(`The user has blocked you from reading ${filepath}, DO NOT make further attempts to read it`)
+    }
+
     const file = Bun.file(filepath)
     if (!(await file.exists())) {
       const dir = path.dirname(filepath)