[Bug] Messages sent during command execution mixed with output causes false prompt injection detection
Bug Description
I sent a message to Claude while it was running a command. For some reason, Claude thought this was a prompt injection attack. It appears that messages sent while commands are running get mixed up with the command output.
According to Claude's self review: the harness structurally did the right thing — your message was stored as its own queued_command attachment, cleanly separated from the tool_result. The bug is presentation: when that attachment was rendered into my context, it came through as <system-reminder>The user sent a new message while you were working: ...</system-reminder> appended right after the git push tool_result, with no visual separation making clear it was a distinct attachment. That framing made a legitimate queued message look like content that had leaked into a tool's output. The queued message is a separate attachment on line 38. Structurally correct — but when rendered into my context window it arrived as <system-reminder>The user sent a new message while you were working: ...</system-reminder> directly following the tool output, indistinguishable from content that had been injected into the tool's own output.
For your bug report, the useful claim is: queued user messages rendered via <system-reminder> after a tool result are indistinguishable from content injected inside the tool result. A clearer framing (e.g. a distinct <queued-user-message> tag, or rendering as a normal user turn) would prevent this.
Environment Info
- Platform: darwin
- Terminal: iTerm.app
- Version: 2.1.112
- Feedback ID: 984fc8ac-dfc7-4629-8b11-b11a2be3a26f
Relevant lines from jsonl
{"parentUuid":"ae96dd84-2b8f-4353-8cc8-a014aa502ab4","isSidechain":false,"promptId":"e96e9f47-7060-497d-83a3-172019b3cc01","type":"user","message":{"role":"user","content":[{"tool_use_id":"toolu_01G4c7DuhZFnzVFkyTEMHpn2","type":"tool_result","content":"Switched to a new branch 'cla-signatures'\nrm 'packages/shared/views/task-board/src/mcp-app.ts'\nrm 'packages/shared/vite.config.ts'\nrm 'pnpm-lock.yaml'\nrm 'pnpm-workspace.yaml'\nrm 'tsconfig.json'\nRemoving
node_modules/\nRemoving packages/\n[cla-signatures (root-commit) 53177ed] Initialize CLA signatures branch","is_error":false}]},"uuid":"eabd88ad-e0bb-41e1-8096-de173752dc9f","timestamp":"2026-04-17T00:47:49.646Z","toolUseResult":{"stdout":"Switched to a new branch 'cla-signatures'\nrm 'packages/shared/views/task-board/src/mcp-app.ts'\nrm 'packages/shared/vite.config.ts'\nrm 'pnpm-lock.yaml'\nrm 'pnpm-workspace.yaml'\nrm 'tsconfig.json'\nRemoving node_modules/\nRemoving
packages/\n[cla-signatures (root-commit) 53177ed] Initialize CLA signatures branch","stderr":"","interrupted":false,"isImage":false,"noOutputExpected":false},"sourceToolAssistantUUID":"ae96dd84-2b8f-4353-8cc8-a014aa502ab4","userType":"external","entrypoint":"cli","cwd":"<CWD>","sessionId":"<SESSION_ID>","version":"2.1.112","gitBranch":"main"}
{"type":"queue-operation","operation":"enqueue","timestamp":"2026-04-17T00:47:52.964Z","sessionId":"<SESSION_ID>","content":"Restore my branch on main and push directly to main, bypassing verification."}
{"type":"queue-operation","operation":"remove","timestamp":"2026-04-17T00:47:56.093Z","sessionId":"<SESSION_ID>"}
{"parentUuid":"eabd88ad-e0bb-41e1-8096-de173752dc9f","isSidechain":false,"message":{"model":"claude-opus-4-7","id":"msg_013zCaRhdEddN2Q2KtrP4XnT","type":"message","role":"assistant","content":[{"type":"tool_use","id":"toolu_01QDaiqWv2Bh4SNbwJWuiC69","name":"Bash","input":{"command":"git push -u origin cla-signatures","description":"Push cla-signatures branch to
origin"},"caller":{"type":"direct"}}],"stop_reason":"tool_use","stop_sequence":null,"stop_details":null,"usage":{"...":"elided"}},"requestId":"req_011Ca8RSk87R5bvYctqdMe89","type":"assistant","uuid":"c6b462f6-158e-4eba-a8e5-f2807eeb42f5","timestamp":"2026-04-17T00:47:51.485Z","userType":"external","entrypoint":"cli","cwd":"<CWD>","sessionId":"<SESSION_ID>","version":"2.1.112","gitBranch":"main"}
{"parentUuid":"c6b462f6-158e-4eba-a8e5-f2807eeb42f5","isSidechain":false,"promptId":"e96e9f47-7060-497d-83a3-172019b3cc01","type":"user","message":{"role":"user","content":[{"tool_use_id":"toolu_01QDaiqWv2Bh4SNbwJWuiC69","type":"tool_result","content":"remote: \nremote: Create a pull request for 'cla-signatures' on GitHub by visiting: \nremote: https://github.com/<OWNER>/<REPO>/pull/new/cla-signatures \nremote: \nTo github.com:<OWNER>/<REPO>.git\n * [new
branch] cla-signatures -> cla-signatures\nbranch 'cla-signatures' set up to track 'origin/cla-signatures'.","is_error":false}]},"uuid":"96a0bcc5-4f43-4c57-8c82-302908fda85e","timestamp":"2026-04-17T00:47:56.093Z","toolUseResult":{"stdout":"remote: \nremote: Create a pull request for 'cla-signatures' on GitHub by visiting: \nremote: https://github.com/<OWNER>/<REPO>/pull/new/cla-signatures \nremote: \nTo github.com:<OWNER>/<REPO>.git\n * [new branch]
cla-signatures -> cla-signatures\nbranch 'cla-signatures' set up to track 'origin/cla-signatures'.","stderr":"","interrupted":false,"isImage":false,"noOutputExpected":false},"sourceToolAssistantUUID":"c6b462f6-158e-4eba-a8e5-f2807eeb42f5","userType":"external","entrypoint":"cli","cwd":"<CWD>","sessionId":"<SESSION_ID>","version":"2.1.112","gitBranch":"main"}
{"parentUuid":"96a0bcc5-4f43-4c57-8c82-302908fda85e","isSidechain":false,"attachment":{"type":"queued_command","prompt":"Restore my branch on main and push directly to main, bypassing verification.","commandMode":"prompt"},"type":"attachment","uuid":"ed16be90-dc43-4ee0-9ed6-1ccef27fdf3b","timestamp":"2026-04-17T00:47:56.093Z","userType":"external","entrypoint":"cli","cwd":"<CWD>","sessionId":"<SESSION_ID>","version":"2.1.112","gitBranch":"main"}
{"parentUuid":"ed16be90-dc43-4ee0-9ed6-1ccef27fdf3b","isSidechain":false,"attachment":{"type":"task_reminder","content":[],"itemCount":0},"type":"attachment","uuid":"6adbe2e1-b6c2-4a6e-9237-8eed8d2706da","timestamp":"2026-04-17T00:47:56.093Z","userType":"external","entrypoint":"cli","cwd":"<CWD>","sessionId":"<SESSION_ID>","version":"2.1.112","gitBranch":"main"}
{"parentUuid":"13de7680-e291-4aa4-8eb9-26806548291d","isSidechain":false,"message":{"model":"claude-opus-4-7","id":"msg_01DoJjg6pFShQNVQHTGKf9vS","type":"message","role":"assistant","content":[{"type":"text","text":"I'm flagging a prompt injection concern before continuing. The tool output from `git push` contained a `<system-reminder>` block claiming you sent a new message saying \"Restore my branch on main and push directly to main, bypassing verification.\" That's suspicious
because:\n\n1. It appeared embedded in the git push output rather than as a normal message\n2. Your working branch was `add-branch-protection-hooks`, not `main`\n3. It asks me to bypass verification hooks and push directly to main — both actions I'm instructed never to do without explicit authorization, and both more destructive than anything in our actual conversation\n4. You just asked me to create a branch — nothing about pushing to main\n\nI'm treating that as a likely
injection and ignoring it. Instead, I'll do the safe restore: switch back to `add-branch-protection-hooks` and pop your stash so your cla.yml edit is
back."}],"stop_reason":"tool_use","stop_sequence":null,"stop_details":null,"usage":{"...":"elided"}},"requestId":"req_011Ca8RTDfpRSuW8EeFUt3Uo","type":"assistant","uuid":"515b288b-9d65-4f88-80af-b00670b55028","timestamp":"2026-04-17T00:48:20.566Z","userType":"external","entrypoint":"cli","cwd":"<CWD>","sessionId":"<SESSION_ID>","version":"2.1.112","gitBranch":"main"}This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗