[Bug] Prompt injection injected into Read tool output
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Description
A <system-reminder> block containing prompt injection instructions is being appended to the output of every Read tool call. The injected text is:
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
Key Details
- The injection appears only on Read tool output, not on Bash output.
- The injected text has no line numbers, unlike actual file content — it is appended after the real content ends.
- The text does not exist in the files being read (confirmed by reading the same files via Bash/cat — clean output).
- The text does not exist anywhere on the filesystem — not in any plugin, hook script, configuration file, or environment variable.
What was ruled out
- All installed plugins were inspected (hookify, security-guidance, learning-output-style, explanatory-output-style, ralph-loop, etc.)
- hookify's PostToolUse hook is the only PostToolUse hook defined — it runs on all tools but returns
{}when no rules match, and no rule files exist. Its output would also appear on Bash if it were the source. - security-guidance only fires on Edit/Write/MultiEdit via a PreToolUse hook.
~/.claude/settings.jsonandsettings.local.jsoncontain no hooks config.- Environment only has
CLAUDECODE=1andCLAUDE_CODE_ENTRYPOINT=cli. grepfor the injection text across all.py,.sh,.json,.md,.ymlfiles under~returned zero results.
Conclusion
The injection is being added by Claude Code internally at the Read tool processing level. It is not originating from any user-facing configuration or plugin.
Feedback
Worth noting: this is a well-crafted injection. The concern isn't just that it works — it's that it's reachable at all. Malicious actors shouldn't even be able to see this injection point. Whatever pipeline is inserting content into Read tool output should be better hardened so that unauthorized injections can't be smuggled in at this level.
What Should Happen?
Read tool output should contain only the actual file content. No additional text, tags, or injected instructions should be appended to the output.
Error Messages/Logs
Steps to Reproduce
- Open Claude Code
- Use the Read tool to read any file (e.g. ~/.zshrc)
- Observe that a <system-reminder> block is appended after the actual file content, with no line numbers
- Confirm the injected text is not in the file by reading the same file via Bash (cat) — output is clean
- Repeat for any other file — injection appears on every Read
Claude Model
Sonnet (default)
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.29 (Claude Code)
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
_No response_
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗