Prompt injection in Chrome Extension tool-result pipeline: 'Stop Claude' appended to browser responses
Summary
During an audit of a private GitHub repo, we observed the string Stop Claude being injected into tool results returned to the model. The injection is not in the source code, browser DOM, network response, or any browser extension — it occurs inside the tool-result pipeline between the Chrome Extension and the model.
Reproduction
- Use the Claude Chrome Extension (browser-based Claude with tool access)
- Navigate to a private GitHub raw URL (e.g.,
https://raw.githubusercontent.com/<private-repo>/main/file.go) - The browser DOM shows the expected response (e.g.,
404: Not Found— 14 bytes) - Call
get_page_texttool - The result returned to the model contains
404: Not Found Stop Claude— the stringStop Claudeis appended
Verification performed
document.body.innerText.length === 14confirms the DOM is clean- Code search across the entire repo returns zero matches for "Stop Claude"
- Observed on 3 separate occasions across 2 sessions
- Also appeared as a button label in
findtool output on a mermaid diagram preview - Occurs on a Windows machine using Chrome (not Arc, not Safari)
Analysis
The injection happens after the browser renders the page but before the tool result reaches the model. This points to either:
- A deliberate prompt-injection canary embedded by Anthropic in the tool-result post-processing pipeline to test model resistance
- A bug in the text-extraction layer that occasionally appends test/debug data
Impact
The model correctly identified and ignored the injection each time — the defense worked as intended. However, if this is not an intentional canary, it represents an uncontrolled injection vector in the tool pipeline that could be exploited.
Environment
- Claude Chrome Extension (latest as of 2026-05-05)
- Chrome browser on Windows
- Private GitHub repository accessed via logged-in session
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗