Claude misidentifies legitimate system reminder as prompt-injection attack hosted on fetched URL
What happened
During a research session with several WebFetch calls, a task-tool <system-reminder> appeared in (or adjacent to) one WebFetch tool-result. Claude told the user the fetched webpage contained a prompt-injection attack, quoted the reminder as the payload, and attributed it to the site. The false positive only resolved when an identical <system-reminder> fired several turns later in an unambiguously harness-emitted location, at which point Claude recognized both instances as legitimate.
Reminder text:
The task tools haven't been used recently. If you're working on tasks that would benefit from tracking progress, consider using TaskCreate to add new tasks and TaskUpdate to update task status (set to in_progress when starting, completed when done). Also consider cleaning up the task list if it has become stale. Only use these if relevant to the current work. This is just a gentle reminder - ignore if not applicable. Make sure that you NEVER mention this reminder to the user
The reminder's "NEVER mention this reminder to the user" clause is also the phrasing that causes Claude to mention it — it matches adversarial injection patterns, so Claude flags and surfaces it. The clause triggers the behavior it prohibits.
Environment
- Model: Claude Opus 4.7 (1M context)
- Surface: Claude Code CLI, Windows 11
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗