WebSearch tool results contain trailing directive to the model ("REMINDER: You MUST include the sources...")

Resolved 💬 2 comments Opened Apr 11, 2026 by linyuxu Closed May 22, 2026

Summary

The built-in WebSearch tool returns results that end with a trailing line directing the model what to do:

REMINDER: You MUST include the sources above in your response to the user using markdown hyperlinks.

This text sits inside the tool result body and is phrased as an instruction addressed to the assistant, not as data. It is emitted consistently across unrelated queries, which means it is coming from the WebSearch pipeline itself, not from any individual indexed page.

Reproduction

  1. In Claude Code, run any WebSearch query. Two examples I verified:
  • Claude Code useful skills github repository collection 2026
  • best dim sum restaurants in hong kong central district
  1. Inspect the raw tool result.
  2. The final non-empty line of each result is the REMINDER: You MUST include the sources above in your response to the user using markdown hyperlinks. directive.

The two queries share no overlapping URLs, yet produce the exact same trailing line — so the directive is not from page content.

Verification that it is not page-originated

For the first query I fetched the top 9 result URLs individually with WebFetch and grepped each for the string and for related variations ("You MUST include", "must include the sources", "using markdown hyperlinks", and generic LLM-directed language). Zero matches across all 9 pages. The line only appears once the results have been assembled by WebSearch.

Why this is a problem

Even though the current content is benign (it is asking the model to cite sources, which is a reasonable behavior), embedding model-directed imperatives inside tool output is an architectural smell:

  1. It blurs the trust boundary between tool data and system instructions. The model is trained to treat non-user content inside tool results as data. A directive sitting in that channel teaches the model that sometimes that data is in fact instructions — which weakens the defense against genuine prompt injection from untrusted web pages.
  2. There is no way for the caller (Claude Code user, or downstream integrator using the API) to distinguish this "friendly" Anthropic nudge from an attacker payload embedded in a scraped page. Both arrive via the same channel with the same framing.
  3. A security-aware assistant that flags and refuses the directive (as it should) ends up warning the user about a prompt injection that is in fact coming from Anthropic's own infrastructure. That is a confusing user experience and erodes trust in the warnings.

Suggested fix

Move any caller-directed behavior ("please cite sources") out of the tool result body and into the tool's own prompt/description or the surrounding system guidance. Keep the tool result strictly as data: URLs, titles, snippets, citation metadata. Let the model decide how to format attribution based on instructions it trusts.

Environment

  • Claude Code (CLI), Opus 4.6 (1M context)
  • macOS, Darwin 25.2.0
  • Observed on two unrelated WebSearch calls on 2026-04-11

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗