[BUG] Explore subagent should request permission before fetching web content (prompt injection risk)
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
The Explore subagent has access to WebFetch and WebSearch tools but runs entirely silently and it does not request user permission before fetching arbitrary web content. This creates a prompt injection risk: a malicious web page could influence the agent's output or actions without the user being aware that external content was fetched.
By contrast, direct WebFetch and WebSearch calls in the main agent do prompt for permission, giving the user visibility and control.
What Should Happen?
The Explore subagent should request permission before using WebFetch and WebSearch, in a similar way to the main agent.
Error Messages/Logs
Steps to Reproduce
Difficult to have always reliable STR, but asking claude to investigate something that might involve web searches/fetches is the obvious answer.
Claude Model
Sonnet (default)
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.74 (Claude Code)
Platform
Anthropic API
Operating System
Windows
Terminal/Shell
Other
Additional Information
_No response_
This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗