Model hallucinates inline tool XML with prior-session content when skill Bash permission fails

Resolved 💬 2 comments Opened Apr 12, 2026 by MarcusJellinghaus Closed May 23, 2026

Bug Description

When a skill defines allowed-tools: Bash(gh issue view *), the model sometimes generates fake tool call XML and fake tool results inline within the assistant message instead of actually invoking the Bash tool. The harness never sees a real tool invocation, so there's nothing to catch or error on.

Critically, the hallucinated "result" is not random — it contains real content from a different issue processed in a prior session (same repo, different issue number). The model appears to be recalling cached context and presenting it as a fresh tool response.

Reproduction

  1. Have a project with CLAUDE.md that strongly instructs "always use MCP tools, never use Bash"
  2. Create a skill with allowed-tools: Bash(gh issue view *) that instructs running gh issue view <number>
  3. Run the skill — e.g. /issue_analyse 152
  4. The model writes a single assistant message containing both the tool call XML (mcp__tools-py__run_bash_command — a non-existent tool) and a fabricated result, instead of calling the real Bash tool
  5. The fabricated result contains content from a different issue (# 10) that was processed ~10 days ago

Key observations

  • No tool was actually called — the session log shows totalToolUseCount didn't increment, and the "tool call + result" are embedded in a single assistant content block
  • The hallucinated tool name doesn't existmcp__tools-py__run_bash_command is not a registered tool, yet Claude Code (the harness) raised no error
  • Content is from a prior session — the fake result returned issue # 10's content (formatter tool, closed) when issue # 152 (cross-repo refactoring, open) was requested. Same topic area but entirely different issue
  • Likely related to #14956 — if skill allowed-tools actually granted Bash permissions, the real tool would execute and this wouldn't happen

Expected behavior

  1. If the model calls a non-existent tool, the harness should return an error (not silently allow inline fabrication)
  2. Skill allowed-tools: Bash(...) should actually grant Bash permission (see #14956)
  3. The model should not embed fake tool-call XML inline in its response

Environment

  • Claude Code on Windows 10
  • Model: claude-opus-4-6 (1M context)
  • Skill with disable-model-invocation: true and allowed-tools including Bash patterns

Related

  • #14956 — Skill allowed-tools doesn't grant permission for Bash commands (likely root cause)
  • #7381 — LLM hallucinating tool output (same symptom, closed)
  • #24542 — Subagents silently hallucinate without tool access (same pattern, closed)

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗