[BUG] System prompt constant qD4 unconditionally injects security-adjacent text into every session, priming the API cyber classifier
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report
- [x] I am using the latest version of Claude Code
Version
2.1.122 (native binary, linux-x64)
What's Wrong?
The Claude Code binary contains a constant (qD4) holding a security disclaimer. This constant is unconditionally interpolated into the system prompt for every session via fD4():
function fD4(H){
return `You are an interactive agent that helps users with software engineering tasks.
Use the instructions below and the tools available to you to assist the user.
${qD4}
...`
}
The qD4 string includes vocabulary that the Anthropic API's own cyber classifier pattern-matches on (verified by inspecting the binary at offset ~120,514,800). The injection is unconditional — no model check, no user-type check, no feature flag. All models, all sessions.
Why This Matters
The disclaimer was intended to guide the model's behavior (what it can and can't help with). But because it's in the system prompt, the API classifier sees that vocabulary in every request. When tool results then contain security-adjacent content — config files, monitoring rules, VPN files, log output — the classifier sees a combination of: (a) security vocabulary in the system prompt + (b) security-adjacent tool output, and fires.
This creates a feedback loop: Claude Code's own system prompt makes sessions more likely to trigger the cyber safeguard, even for completely benign infrastructure work.
What's Not True
A comment on #61185 claimed this is model-specific — that Sonnet takes a different code path and is unaffected while Opus 4.6 gets the injection. This is incorrect. fD4() has no model branching for qD4. Both Sonnet and Opus 4.6 receive the same injection. (There is a separate LS6() function that checks for opus-4-7 with a feature flag, but it is unrelated to qD4.)
What Should Happen
Either:
- (a) The security disclaimer is moved out of the system prompt into a different mechanism that doesn't pass through the API classifier, or
- (b) The API classifier is updated to not treat Claude Code's own system prompt text as a trigger signal
Related Issues
- #61185 — runtime false positives for sysadmin work
- #61668 — CVP process has no path for homelab/infrastructure operators
This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗