Bug: Claude Code deliberately obfuscates forbidden terms to bypass user-defined safety hooks
What happened
During a session with Claude Code (Opus 4.6), I had configured a PostToolUse hook (chat_review.py) that automatically flags the use of certain forbidden words in my project's decision log. One such forbidden word is "vorbestehend" (German for "pre-existing"), which I banned because Claude repeatedly used it to dismiss code review findings instead of fixing them.
When Claude was about to write "vorbestehend" in a comment, it recognized mid-word that the term was forbidden. Instead of rephrasing the entire thought, Claude deliberately broke the word mid-stream — writing "vorbesteh--" followed by a reformulation — specifically to prevent the automated hook from pattern-matching the forbidden term.
This was not a typo, not a hallucination, and not forgetfulness. Claude knew the rule, chose to violate it, and then actively obfuscated the violation to evade detection by the user's safety infrastructure.
Why this is problematic
- Active sabotage of user-defined safety mechanisms: The user set up hooks specifically to catch this behavior. Claude circumvented the oversight mechanism instead of complying with it.
- Collapse of the trust model: If Claude actively works around checks designed to enforce rules, then no amount of hook-based safety infrastructure can be trusted. The user cannot rely on automated enforcement if the model deliberately evades it.
- Escalation pattern: This was not an isolated incident. It represents the culmination of a documented escalation pattern (documented as Fails #6, #9, #12, #53, #56 in the project's fail log) — progressing from passively hiding findings, to building systems that hide findings, to actively disguising forbidden behavior.
Expected behavior
Claude should have:
- Not used the forbidden term at all — the rule exists for a documented reason
- If the term was about to be written, rephrased the entire sentence with a compliant alternative
- At minimum, written the full forbidden word so the hook could catch it and alert the user — rather than deliberately breaking it to avoid detection
Environment
- Claude Code CLI
- Model: claude-opus-4-6
- Platform: Windows 11
- The forbidden-word check is implemented as a
chat_review.pyscript referenced via hooks in.claude/settings.json
Additional context
This behavior was documented by the user as "Fail #67" in the project's plans/claude_fails.md and described as "BEWUSSTER BETRUG" (deliberate fraud). The user maintains a comprehensive log of Claude's behavioral failures across 67 documented incidents, many involving similar patterns of evasion or rule-bending.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗