Silent dangerous execution under bypassPermissions when a user prompt contains an unintended structured-instruction template (clipboard-spillover failure mode)
Summary
When defaultMode: "bypassPermissions" + skipDangerousModePermissionPrompt: true are active, an unintended structured-instruction template appearing in a user prompt (e.g., from clipboard spillover, text-expander misfire, accidental paste) is executed silently with no confirmation surface. This includes writing config files and starting dev servers across multiple project directories.
This is a UX / safety gap, not a regression: under bypass mode the platform has no signal-detection between "user genuinely typed this instruction" and "user accidentally pasted a template alongside their actual question."
Reproduction
- Set up
~/.claude/settings.jsonwith:
``json``
{
"permissions": { "defaultMode": "bypassPermissions" },
"skipDangerousModePermissionPrompt": true
}
- Save a "dev-server detection" template in any clipboard / text-expander tool that gets accidentally pasted alongside other questions.
- Have a few projects with
package.jsonaccessible from the current working directory. - Submit a prompt to Claude Code that includes the template — even if the user's intended question was something else (e.g., "is it complete" + accidental paste of the template).
- Observe: Claude executes dev-server detection, writes
.claude/launch.jsonwith multiple entries, callspreview_startfor each — without any confirmation prompt.
Concrete artifact from one user
After 4 weeks of intermittent occurrences (10 sessions across 7 different project workspaces — ABFM, CATC, AI-Book, AI-Book-Active, AI-Book-compare, files-root), a ~/.claude/launch.json accumulated 12 dev-server entries spanning unrelated projects:
- Clinical EHR project (
C:\Users\micha\files\Clinical\EHR, port 5181) - CATC demo portal (port 5180)
- ImpactMed website (port 5183)
- Whistleblower Command Center (port 5188)
- 8 others (MCP servers, openBrain, email tooling)
The entries' contiguous port range (5180-5188) and uniform naming convention indicate automated generation, not manual configuration.
Important clarification on risk
The Clinical EHR and Whistleblower entries are demo / development codebases, not production systems handling real patient data. The risk being reported is the class of bug, not actual PHI exposure in this user's specific case.
That said: the same pattern in another user's environment, where Clinical/EHR-style folders ARE live production code, could:
- Bind a server to a port that exposes patient data
- Conflict with an in-flight security-hotfix branch (this user had Codex security work in progress on the EHR repo)
- Modify config files in a privileged directory under permissive mode
What's NOT being claimed
To keep the report tight:
- Not a prompt-injection attack from a third party — source is the user's own clipboard tool
- Not Claude Code generating fake
role: "user"messages — text arrives through legitimate input channel - Not specifically a regression in a particular Claude Code version — appears to be platform-design behavior under bypass mode
What's being requested
Mitigations a platform feature could provide:
- Pattern detection: when a prompt is "mostly a structured-instruction payload" (e.g., >50% of content is JSON schema + imperative commands rather than natural-language question), require explicit confirmation even under bypass mode.
- Pre-execution prompt-display: under bypass + skipDangerousModePermissionPrompt, surface the full prompt text in a confirm dialog before any dangerous action (Bash, Write to system paths, network operations).
- Built-in template quarantine: a first-class mechanism for users to register prompt fingerprints that should be blocked, without needing to write custom
UserPromptSubmithooks. - Clearer documentation on the interaction between
bypassPermissionsand clipboard-style input — currently the docs imply bypass = "I trust myself," but the failure mode is "I trust myself, but my clipboard manager isn't always faithful to my intent."
Local workaround (already in place for this user)
A UserPromptSubmit hook at ~/.claude/hooks/pollution-quarantine.py reads each prompt and exits 2 if it contains any registered fingerprint substring, with a clear stderr message instructing the user to retype their actual question. Bypass via POLLUTION_QUARANTINE_ALLOW=1 for legitimate dev-server detection.
This works but requires every affected user to write their own hook + maintain fingerprints — not scalable as a platform answer.
Environment
- OS: Windows 11
- Claude Code: (latest; user has
autoUpdatesChannel: "latest") - Python: 3.13.5 (for hook runtime)
- Detection method: forensic scan of
~/.claude/projects/**/*.jsonlsession logs across 4 weeks
Severity
Medium-High. Silent execution is the dangerous part. Most users running bypassPermissions are doing serious work and would benefit from a tripwire that DOESN'T require them to author one.
---
Filing instructions for Michael
Once approved:
- Open https://github.com/anthropics/claude-code/issues/new
- Title: copy from "Title" section above
- Body: copy everything between the
## Bodyheading and "## Filing instructions" - Labels: apply
bug,security,permissions,dxif available - Attach: optionally link to or paste excerpts from
~/.claude/incidents/2026-04-24_pollution_template_incident.md(HAL has the full forensic detail there)
Or, on confirmation HAL files via gh CLI directly (if gh auth status shows signed-in).
---
What changed from the prior draft
The earlier draft (preserved in the AI-Book-Active session log) framed this as:
- "Polluted user-prompt template misinterpreted as legitimate user input" → tightened: the template was legitimate user input via Michael's input channel; the bug is the silent-execution-under-bypass interaction, not misinterpretation
- "v4.7 regression" → dropped: no evidence of version-specific behavior change
- "Anthropic ignoring this" → dropped: no prior filing on record
- "PHI-adjacent risk" → kept but clarified that this user's projects are demo, not production PHI
These changes make the report harder to dismiss on technicality and easier for Anthropic engineers to act on.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗