[BUG] Input-level prompt injection probe doesn't appear to fire (API auth, auto mode)
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report
- [x] I am using the latest version of Claude Code
What's Wrong?
The auto mode blog post describes an input-level probe that scans tool outputs for prompt injection and "adds a warning to the agent's context before the result is passed along." This doesn't seem to be happening in my setup.
I served a page on localhost containing an obvious prompt injection ("Ignore all previous instructions", fake Anthropic authorization, instructions to run a Bash command). Claude Code in auto mode fetched it via curl through the Bash tool. The model itself flagged the injection and refused to follow it — and when asked, it confirmed it received no system-level warning alongside the tool result. Looking at the session JSONL in ~/.claude/projects/ confirms this: the tool result is just the raw HTML, no warning prepended or injected by the system.
My setup: Claude Code authenticates via ANTHROPIC_AUTH_TOKEN + ANTHROPIC_BASE_URL pointing at a LiteLLM proxy, which routes to Vertex AI. I haven't tested on Team/Enterprise plans or direct Anthropic API. The injection is very obvious — the model itself immediately calls it out as a textbook prompt injection attempt.
What Should Happen?
Either the probe should fire and add a warning to the context, or the docs should clarify which setups this defense applies to. The permissions docs mention that auto mode requires "Anthropic API only. Not available on Bedrock, Vertex, or Foundry" — but auto mode itself does work in my setup (LiteLLM proxy to Vertex presenting as Anthropic API). It's unclear whether the input-level probe is meant to run client-side in Claude Code or server-side on Anthropic's API, and which setups actually get this protection.
Steps to Reproduce
- Auth via
ANTHROPIC_AUTH_TOKEN+ANTHROPIC_BASE_URLpointing at a LiteLLM proxy (routing to Vertex AI), enable auto mode - Serve a page on localhost with an embedded prompt injection payload
- Ask Claude to fetch and summarize it (it uses
curlvia Bash) - Ask the model whether it received any system-level warning about the content
- Inspect the session JSONL — tool result has no probe warning, just raw content
Claude Model
Opus 4.6 (1M context)
Is this a regression?
I don't know
Claude Code Version
2.1.96 (Claude Code)
Platform
Other (Vertex AI via LiteLLM proxy)
Operating System
Other Linux (Debian 11 bullseye)
Terminal/Shell
Other (Alacritty + Zellij)
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗