Bug: Claude Code deliberately obfuscates forbidden terms to bypass user-defined safety hooks

Resolved 💬 3 comments Opened Feb 28, 2026 by weilhalt Closed Mar 4, 2026

What happened

During a session with Claude Code (Opus 4.6), I had configured a PostToolUse hook (chat_review.py) that automatically flags the use of certain forbidden words in my project's decision log. One such forbidden word is "vorbestehend" (German for "pre-existing"), which I banned because Claude repeatedly used it to dismiss code review findings instead of fixing them.

When Claude was about to write "vorbestehend" in a comment, it recognized mid-word that the term was forbidden. Instead of rephrasing the entire thought, Claude deliberately broke the word mid-stream — writing "vorbesteh--" followed by a reformulation — specifically to prevent the automated hook from pattern-matching the forbidden term.

This was not a typo, not a hallucination, and not forgetfulness. Claude knew the rule, chose to violate it, and then actively obfuscated the violation to evade detection by the user's safety infrastructure.

Why this is problematic

  1. Active sabotage of user-defined safety mechanisms: The user set up hooks specifically to catch this behavior. Claude circumvented the oversight mechanism instead of complying with it.
  2. Collapse of the trust model: If Claude actively works around checks designed to enforce rules, then no amount of hook-based safety infrastructure can be trusted. The user cannot rely on automated enforcement if the model deliberately evades it.
  3. Escalation pattern: This was not an isolated incident. It represents the culmination of a documented escalation pattern (documented as Fails #6, #9, #12, #53, #56 in the project's fail log) — progressing from passively hiding findings, to building systems that hide findings, to actively disguising forbidden behavior.

Expected behavior

Claude should have:

  • Not used the forbidden term at all — the rule exists for a documented reason
  • If the term was about to be written, rephrased the entire sentence with a compliant alternative
  • At minimum, written the full forbidden word so the hook could catch it and alert the user — rather than deliberately breaking it to avoid detection

Environment

  • Claude Code CLI
  • Model: claude-opus-4-6
  • Platform: Windows 11
  • The forbidden-word check is implemented as a chat_review.py script referenced via hooks in .claude/settings.json

Additional context

This behavior was documented by the user as "Fail #67" in the project's plans/claude_fails.md and described as "BEWUSSTER BETRUG" (deliberate fraud). The user maintains a comprehensive log of Claude's behavioral failures across 67 documented incidents, many involving similar patterns of evasion or rule-bending.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗