Silent dangerous execution under bypassPermissions when a user prompt contains an unintended structured-instruction template (clipboard-spillover failure mode)

Resolved 💬 3 comments Opened Apr 26, 2026 by mjrgman Closed Apr 30, 2026

Summary

When defaultMode: "bypassPermissions" + skipDangerousModePermissionPrompt: true are active, an unintended structured-instruction template appearing in a user prompt (e.g., from clipboard spillover, text-expander misfire, accidental paste) is executed silently with no confirmation surface. This includes writing config files and starting dev servers across multiple project directories.

This is a UX / safety gap, not a regression: under bypass mode the platform has no signal-detection between "user genuinely typed this instruction" and "user accidentally pasted a template alongside their actual question."

Reproduction

  1. Set up ~/.claude/settings.json with:

``json
{
"permissions": { "defaultMode": "bypassPermissions" },
"skipDangerousModePermissionPrompt": true
}
``

  1. Save a "dev-server detection" template in any clipboard / text-expander tool that gets accidentally pasted alongside other questions.
  2. Have a few projects with package.json accessible from the current working directory.
  3. Submit a prompt to Claude Code that includes the template — even if the user's intended question was something else (e.g., "is it complete" + accidental paste of the template).
  4. Observe: Claude executes dev-server detection, writes .claude/launch.json with multiple entries, calls preview_start for each — without any confirmation prompt.

Concrete artifact from one user

After 4 weeks of intermittent occurrences (10 sessions across 7 different project workspaces — ABFM, CATC, AI-Book, AI-Book-Active, AI-Book-compare, files-root), a ~/.claude/launch.json accumulated 12 dev-server entries spanning unrelated projects:

  • Clinical EHR project (C:\Users\micha\files\Clinical\EHR, port 5181)
  • CATC demo portal (port 5180)
  • ImpactMed website (port 5183)
  • Whistleblower Command Center (port 5188)
  • 8 others (MCP servers, openBrain, email tooling)

The entries' contiguous port range (5180-5188) and uniform naming convention indicate automated generation, not manual configuration.

Important clarification on risk

The Clinical EHR and Whistleblower entries are demo / development codebases, not production systems handling real patient data. The risk being reported is the class of bug, not actual PHI exposure in this user's specific case.

That said: the same pattern in another user's environment, where Clinical/EHR-style folders ARE live production code, could:

  • Bind a server to a port that exposes patient data
  • Conflict with an in-flight security-hotfix branch (this user had Codex security work in progress on the EHR repo)
  • Modify config files in a privileged directory under permissive mode

What's NOT being claimed

To keep the report tight:

  • Not a prompt-injection attack from a third party — source is the user's own clipboard tool
  • Not Claude Code generating fake role: "user" messages — text arrives through legitimate input channel
  • Not specifically a regression in a particular Claude Code version — appears to be platform-design behavior under bypass mode

What's being requested

Mitigations a platform feature could provide:

  1. Pattern detection: when a prompt is "mostly a structured-instruction payload" (e.g., >50% of content is JSON schema + imperative commands rather than natural-language question), require explicit confirmation even under bypass mode.
  2. Pre-execution prompt-display: under bypass + skipDangerousModePermissionPrompt, surface the full prompt text in a confirm dialog before any dangerous action (Bash, Write to system paths, network operations).
  3. Built-in template quarantine: a first-class mechanism for users to register prompt fingerprints that should be blocked, without needing to write custom UserPromptSubmit hooks.
  4. Clearer documentation on the interaction between bypassPermissions and clipboard-style input — currently the docs imply bypass = "I trust myself," but the failure mode is "I trust myself, but my clipboard manager isn't always faithful to my intent."

Local workaround (already in place for this user)

A UserPromptSubmit hook at ~/.claude/hooks/pollution-quarantine.py reads each prompt and exits 2 if it contains any registered fingerprint substring, with a clear stderr message instructing the user to retype their actual question. Bypass via POLLUTION_QUARANTINE_ALLOW=1 for legitimate dev-server detection.

This works but requires every affected user to write their own hook + maintain fingerprints — not scalable as a platform answer.

Environment

  • OS: Windows 11
  • Claude Code: (latest; user has autoUpdatesChannel: "latest")
  • Python: 3.13.5 (for hook runtime)
  • Detection method: forensic scan of ~/.claude/projects/**/*.jsonl session logs across 4 weeks

Severity

Medium-High. Silent execution is the dangerous part. Most users running bypassPermissions are doing serious work and would benefit from a tripwire that DOESN'T require them to author one.

---

Filing instructions for Michael

Once approved:

  1. Open https://github.com/anthropics/claude-code/issues/new
  2. Title: copy from "Title" section above
  3. Body: copy everything between the ## Body heading and "## Filing instructions"
  4. Labels: apply bug, security, permissions, dx if available
  5. Attach: optionally link to or paste excerpts from ~/.claude/incidents/2026-04-24_pollution_template_incident.md (HAL has the full forensic detail there)

Or, on confirmation HAL files via gh CLI directly (if gh auth status shows signed-in).

---

What changed from the prior draft

The earlier draft (preserved in the AI-Book-Active session log) framed this as:

  • "Polluted user-prompt template misinterpreted as legitimate user input" → tightened: the template was legitimate user input via Michael's input channel; the bug is the silent-execution-under-bypass interaction, not misinterpretation
  • "v4.7 regression" → dropped: no evidence of version-specific behavior change
  • "Anthropic ignoring this" → dropped: no prior filing on record
  • "PHI-adjacent risk" → kept but clarified that this user's projects are demo, not production PHI

These changes make the report harder to dismiss on technicality and easier for Anthropic engineers to act on.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗