Model hallucinates inline tool XML with prior-session content when skill Bash permission fails
Resolved 💬 2 comments Opened Apr 12, 2026 by MarcusJellinghaus Closed May 23, 2026
Bug Description
When a skill defines allowed-tools: Bash(gh issue view *), the model sometimes generates fake tool call XML and fake tool results inline within the assistant message instead of actually invoking the Bash tool. The harness never sees a real tool invocation, so there's nothing to catch or error on.
Critically, the hallucinated "result" is not random — it contains real content from a different issue processed in a prior session (same repo, different issue number). The model appears to be recalling cached context and presenting it as a fresh tool response.
Reproduction
- Have a project with CLAUDE.md that strongly instructs "always use MCP tools, never use Bash"
- Create a skill with
allowed-tools: Bash(gh issue view *)that instructs runninggh issue view <number> - Run the skill — e.g.
/issue_analyse 152 - The model writes a single assistant message containing both the tool call XML (
mcp__tools-py__run_bash_command— a non-existent tool) and a fabricated result, instead of calling the real Bash tool - The fabricated result contains content from a different issue (# 10) that was processed ~10 days ago
Key observations
- No tool was actually called — the session log shows
totalToolUseCountdidn't increment, and the "tool call + result" are embedded in a single assistant content block - The hallucinated tool name doesn't exist —
mcp__tools-py__run_bash_commandis not a registered tool, yet Claude Code (the harness) raised no error - Content is from a prior session — the fake result returned issue # 10's content (formatter tool, closed) when issue # 152 (cross-repo refactoring, open) was requested. Same topic area but entirely different issue
- Likely related to #14956 — if skill
allowed-toolsactually granted Bash permissions, the real tool would execute and this wouldn't happen
Expected behavior
- If the model calls a non-existent tool, the harness should return an error (not silently allow inline fabrication)
- Skill
allowed-tools: Bash(...)should actually grant Bash permission (see #14956) - The model should not embed fake tool-call XML inline in its response
Environment
- Claude Code on Windows 10
- Model: claude-opus-4-6 (1M context)
- Skill with
disable-model-invocation: trueandallowed-toolsincluding Bash patterns
Related
- #14956 — Skill allowed-tools doesn't grant permission for Bash commands (likely root cause)
- #7381 — LLM hallucinating tool output (same symptom, closed)
- #24542 — Subagents silently hallucinate without tool access (same pattern, closed)
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗