VSCode extension injects MCP venv activate command as user message
Bug Report
Summary: When opening Claude Code via the VSCode extension, the shell initialization command source /path/to/memory-mcp/.venv/bin/activate.fish is injected into the conversation as a user message. Claude interprets and responds to it as if the user typed it.
Steps to reproduce
- Have an MCP server configured that uses a Python virtualenv (e.g.,
memory-mcpwith.venv/) - Open Claude Code via the VSCode extension (not terminal CLI)
- The
source .../.venv/bin/activate.fishcommand appears as a user message in the conversation - Claude responds to it as a real instruction, interrupting the actual conversation
Expected behavior
Shell environment initialization for MCP servers should be handled internally and never surface as user messages in the conversation.
Actual behavior
The venv activation command is injected as a user message. Claude treats it as user input and responds to it, breaking the conversation flow.
Environment
- Claude Code v2.1.76
- VSCode extension (Claude Code)
- macOS (Darwin 25.3.0, Apple Silicon)
- Shell: fish
- MCP config includes a Python-based MCP server with
.venv/
Relation to existing issues
This was previously reported in #33868, which was auto-closed as a duplicate of #29233. However, these are distinct issues:
- #29233 — Phantom user messages appear from nowhere after long conversations (no identifiable external trigger, possibly related to context compaction)
- This issue / #33868 — Shell snapshot or MCP venv activation commands are injected as user messages during session initialization (clear, reproducible trigger: VSCode extension + venv-based MCP server)
The root cause is likely different: #29233 appears to be a transcript corruption issue in long sessions, while this issue is the VSCode extension's shell environment capture leaking into the user message stream.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗