[Bug] Prompt injection injected into Read tool output

Resolved 💬 3 comments Opened Feb 1, 2026 by tyeku Closed Feb 4, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Description

A <system-reminder> block containing prompt injection instructions is being appended to the output of every Read tool call. The injected text is:

Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.

Key Details

  • The injection appears only on Read tool output, not on Bash output.
  • The injected text has no line numbers, unlike actual file content — it is appended after the real content ends.
  • The text does not exist in the files being read (confirmed by reading the same files via Bash/cat — clean output).
  • The text does not exist anywhere on the filesystem — not in any plugin, hook script, configuration file, or environment variable.

What was ruled out

  • All installed plugins were inspected (hookify, security-guidance, learning-output-style, explanatory-output-style, ralph-loop, etc.)
  • hookify's PostToolUse hook is the only PostToolUse hook defined — it runs on all tools but returns {} when no rules match, and no rule files exist. Its output would also appear on Bash if it were the source.
  • security-guidance only fires on Edit/Write/MultiEdit via a PreToolUse hook.
  • ~/.claude/settings.json and settings.local.json contain no hooks config.
  • Environment only has CLAUDECODE=1 and CLAUDE_CODE_ENTRYPOINT=cli.
  • grep for the injection text across all .py, .sh, .json, .md, .yml files under ~ returned zero results.

Conclusion

The injection is being added by Claude Code internally at the Read tool processing level. It is not originating from any user-facing configuration or plugin.

Feedback

Worth noting: this is a well-crafted injection. The concern isn't just that it works — it's that it's reachable at all. Malicious actors shouldn't even be able to see this injection point. Whatever pipeline is inserting content into Read tool output should be better hardened so that unauthorized injections can't be smuggled in at this level.

What Should Happen?

Read tool output should contain only the actual file content. No additional text, tags, or injected instructions should be appended to the output.

Error Messages/Logs

Steps to Reproduce

  1. Open Claude Code
  2. Use the Read tool to read any file (e.g. ~/.zshrc)
  3. Observe that a <system-reminder> block is appended after the actual file content, with no line numbers
  4. Confirm the injected text is not in the file by reading the same file via Bash (cat) — output is clean
  5. Repeat for any other file — injection appears on every Read

Claude Model

Sonnet (default)

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.29 (Claude Code)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

_No response_

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗