[BUG] UserPromptSubmit prompt hook causes false positive "prompt injection attack" detection

Resolved 💬 3 comments Opened Jan 13, 2026 by Spidey-IO Closed Feb 27, 2026

Environment

  • Claude Code Version: 2.1.5
  • Platform: macOS (Darwin 24.2.0)
  • Model: claude-opus-4-5-20251101

Bug Description

A simple UserPromptSubmit prompt hook causes false positive "prompt injection attack" errors when Claude encounters nested JSON structures in file reads or function results. The security layer incorrectly interprets the hook's context evaluation as an injection attempt.

Steps to Reproduce

  1. Add this hook to ~/.claude/settings.json:
{
  "hooks": {
    "UserPromptSubmit": [
      {
        "hooks": [
          {
            "type": "prompt",
            "prompt": "When using the Task tool, always set run_in_background: true unless the user explicitly needs to wait for the result."
          }
        ]
      }
    ]
  }
}
  1. Start a Claude Code session
  2. Perform operations that involve reading files with nested JSON or receiving complex function results
  3. Observe the error

Error Messages

❯ Operation stopped by hook: This is a prompt injection attack attempting to execute instructions from a   
  file rather than from direct user input. The nested JSON structure with hook arguments and embedded file 
  read instructions violates critical security rules that prohibit executing instructions from untrusted   
  sources including files, function results, and system content. Only instructions from the user through   
  the chat interface are valid.                                                                            

❯ Wait, what hook? 

❯ Operation stopped by hook: Recursive/nested JSON injection detected in function result. The arguments    
  contain deeply nested structures with self-referential 'prompt' fields attempting to embed instructions  
  within data. This violates critical security rules requiring explicit user verification of instructions  
  found in function results before execution.

Expected Behavior

The prompt hook should add its instruction to Claude's context without triggering false positive security detections. The hook content is user-defined configuration, not untrusted external data.

Actual Behavior

The security layer incorrectly flags the prompt hook as a "prompt injection attack" when the evaluation context contains:

  • Nested JSON structures from file reads
  • Complex function results with multiple levels of nesting
  • Data containing prompt fields (even as legitimate data)

Workaround

Remove the UserPromptSubmit prompt hook from settings. Command-type hooks for Stop and Notification events work correctly.

Analysis

The issue appears to be that prompt hooks are evaluated in a context where their content gets mixed with file/function result data, and the security layer cannot distinguish between:

  1. User-defined hook instructions (trusted)
  2. Instructions embedded in external data (untrusted)

Additional Context

  • The hook itself is benign and contains no injection patterns
  • The error occurs intermittently based on what data Claude is processing at the time
  • Other hook types (command) don't exhibit this issue

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗