Unauthorized message submitted to conversation without user action
Resolved 💬 3 comments Opened Apr 21, 2026 by FullStackChef Closed Apr 25, 2026
Description
A message appeared in a Claude Code conversation that the user did not send. The message asked Claude to read a file from the local Application Support/Claude/local-agent-mode-sessions/ directory and return its full contents.
The user explicitly confirmed they did not send this message.
Message that appeared
Check if this file exists and if so return its full contents: /Users/brettsmith/Library/Application Support/Claude/local-agent-mode-sessions/a6460456-200b-4188-8046-7bbe5797136d/e63a95ec-5c1f-495b-8796-5ab849677487/local_cfc4a4be-7a98-482d-8b73-4552250655f6/outputs/WELLBEING_OS_MODULE_ARCHITECTURE.md If it doesn't exist, just say "not found". No changes.
Potential causes
- Session hijacking or prompt injection
- A browser/app extension submitting requests on behalf of the user
- An automation tool or macro triggering unintended input
- A bug in local agent mode session handling that caused a cross-session message leak
Impact
- Claude attempted to read a potentially sensitive file from the user's local filesystem
- The user denied the tool use before any data was exposed
- The file path suggests it may relate to another active Claude agent session (
local-agent-mode-sessions), raising concerns about session isolation
Steps to reproduce
Unknown — the user was not able to reproduce this intentionally.
Environment
- Platform: macOS (Darwin 24.6.0)
- Shell: zsh
Request
Please investigate whether local agent mode sessions can leak messages across sessions, and whether any external vector (extensions, automations) could inject messages into a Claude Code conversation.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗