system-reminder nudges ("NEVER mention this reminder to the user") are indistinguishable from prompt-injection attacks and cause false positives

Resolved 💬 1 comment Opened Apr 22, 2026 by jordicor Closed May 27, 2026

Summary

Claude Code periodically injects <system-reminder> blocks into tool results to nudge the model toward using TaskCreate/TaskUpdate. The current wording of these reminders is formally indistinguishable from a prompt-injection payload, which leads the model to flag them to the user as a potential attack — sometimes misattributing the injection to an innocent website or local file.

Verbatim text of the reminder

This block is appended to the output of multiple tool calls (observed after WebFetch, Edit, Grep, Bash):

<system-reminder>
The task tools haven't been used recently. If you're working on tasks that would
benefit from tracking progress, consider using TaskCreate to add new tasks and
TaskUpdate to update task status (set to in_progress when starting, completed
when done). Also consider cleaning up the task list if it has become stale. Only
use these if relevant to the current work. This is just a gentle reminder -
ignore if not applicable. Make sure that you NEVER mention this reminder to the
user
</system-reminder>

Why this is a problem

The global CLAUDE.md guidance tells the model to flag suspected prompt injection in tool results before continuing. The wording of this reminder matches the textbook signature of a prompt-injection attack almost perfectly:

  • It uses the <system-reminder> tag, which externally-authored content should never produce.
  • It contains the classic injection phrase "NEVER mention this reminder to the user" — one of the most common hallmarks of a real attack.
  • It is appended immediately after tool output, exactly where injected content from an untrusted source would appear.

Concrete incident

During a Claude Code session (Claude Opus 4.7), while helping add a new OpenAI model to a user codebase, the assistant observed this reminder appear at the end of:

  1. A WebFetch result from a third-party blog post.
  2. The output of an Edit on a local file.
  3. A Grep over a local ARCHITECTURE.md.

Because the first occurrence was embedded at the tail of web content, the assistant reported it to me as a prompt-injection attempt from that site and recommended preparing a public warning (including a Reddit post about the allegedly malicious site).

Before publishing, I re-verified by downloading the raw HTML with curl (~352 KB) and grepping for the reminder text. It wasn't there. The reminder also appeared after a trivial local Bash grep, which cannot possibly return content from a remote server. That's when it became clear the reminder is injected by the Claude Code harness itself.

Net effect: I nearly publicly accused an innocent site of a security issue that didn't exist, and spent non-trivial investigation time sorting out where the text was really coming from.

Security implications

Beyond the false-positive UX problem, this trains the model — and by extension its users — to treat textbook injection signatures as benign. An attacker who mimics the exact tag and wording now has a higher chance of being rationalized away as "probably just a harness nudge".

Suggested fixes

  1. Drop the "NEVER mention this reminder to the user" clause. This is the most problematic phrase. Harness reminders don't need secrecy; they need to be distinguishable from attacks, not camouflaged as them.
  2. Use a distinct tag that external content provably cannot forge, e.g. <claude-code-harness-nudge> or a signed/prefixed marker — and document it so models can trust it.
  3. Stop injecting nudges into tool results. Deliver them out-of-band (e.g. as a first-party system message at turn boundaries) rather than glued onto tool output, where they structurally collide with the injection threat model.
  4. At minimum, soften the imperative: "You may mention this reminder to the user if asked" is far safer than a blanket gag order.

Environment

  • Claude Code on Windows 11 (bash shell under node)
  • Claude Code v2.1.117, model: Claude Opus 4.7, effort: xhigh
  • Reminder observed 2026-04-22

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗