Spinner hints display fake/non-existent commands — potential security risk
Description
The hints displayed in the CLI spinner while Claude is "thinking" sometimes show fake or non-existent commands.
Example observed: /plugin install frontend-design@claude-plugins-official — this command does not exist in Claude Code.
Security concern
In a CLI context where users are accustomed to copying and pasting commands, displaying fake commands as "tips" is a security risk. A user could reflexively execute a displayed hint, especially since it appears to come from a trusted source (the tool itself).
A malicious or misleading hint could trick users into running harmful commands on their machine.
Expected behavior
Hints should only display verified, existing commands and features. Any command shown as a tip should be functional and safe.
Environment
- Claude Code CLI on Linux (WSL2)
- Model: Claude Opus 4.6 (1M context)
🤖 Generated with Claude Code
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗