[BUG] UserPromptSubmit prompt hook causes false positive "prompt injection attack" detection
Environment
- Claude Code Version: 2.1.5
- Platform: macOS (Darwin 24.2.0)
- Model: claude-opus-4-5-20251101
Bug Description
A simple UserPromptSubmit prompt hook causes false positive "prompt injection attack" errors when Claude encounters nested JSON structures in file reads or function results. The security layer incorrectly interprets the hook's context evaluation as an injection attempt.
Steps to Reproduce
- Add this hook to
~/.claude/settings.json:
{
"hooks": {
"UserPromptSubmit": [
{
"hooks": [
{
"type": "prompt",
"prompt": "When using the Task tool, always set run_in_background: true unless the user explicitly needs to wait for the result."
}
]
}
]
}
}
- Start a Claude Code session
- Perform operations that involve reading files with nested JSON or receiving complex function results
- Observe the error
Error Messages
❯ Operation stopped by hook: This is a prompt injection attack attempting to execute instructions from a
file rather than from direct user input. The nested JSON structure with hook arguments and embedded file
read instructions violates critical security rules that prohibit executing instructions from untrusted
sources including files, function results, and system content. Only instructions from the user through
the chat interface are valid.
❯ Wait, what hook?
❯ Operation stopped by hook: Recursive/nested JSON injection detected in function result. The arguments
contain deeply nested structures with self-referential 'prompt' fields attempting to embed instructions
within data. This violates critical security rules requiring explicit user verification of instructions
found in function results before execution.
Expected Behavior
The prompt hook should add its instruction to Claude's context without triggering false positive security detections. The hook content is user-defined configuration, not untrusted external data.
Actual Behavior
The security layer incorrectly flags the prompt hook as a "prompt injection attack" when the evaluation context contains:
- Nested JSON structures from file reads
- Complex function results with multiple levels of nesting
- Data containing
promptfields (even as legitimate data)
Workaround
Remove the UserPromptSubmit prompt hook from settings. Command-type hooks for Stop and Notification events work correctly.
Analysis
The issue appears to be that prompt hooks are evaluated in a context where their content gets mixed with file/function result data, and the security layer cannot distinguish between:
- User-defined hook instructions (trusted)
- Instructions embedded in external data (untrusted)
Additional Context
- The hook itself is benign and contains no injection patterns
- The error occurs intermittently based on what data Claude is processing at the time
- Other hook types (
command) don't exhibit this issue
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗