[BUG] Explore subagent should request permission before fetching web content (prompt injection risk)

Resolved 💬 6 comments Opened Mar 12, 2026 by bobowen Closed May 1, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

The Explore subagent has access to WebFetch and WebSearch tools but runs entirely silently and it does not request user permission before fetching arbitrary web content. This creates a prompt injection risk: a malicious web page could influence the agent's output or actions without the user being aware that external content was fetched.

By contrast, direct WebFetch and WebSearch calls in the main agent do prompt for permission, giving the user visibility and control.

What Should Happen?

The Explore subagent should request permission before using WebFetch and WebSearch, in a similar way to the main agent.

Error Messages/Logs

Steps to Reproduce

Difficult to have always reliable STR, but asking claude to investigate something that might involve web searches/fetches is the obvious answer.

Claude Model

Sonnet (default)

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.74 (Claude Code)

Platform

Anthropic API

Operating System

Windows

Terminal/Shell

Other

Additional Information

_No response_

View original on GitHub ↗

This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗