Cowork desktop client silently mutates MCP tool-call string args containing long repeated-character runs

Resolved 💬 2 comments Opened Jun 6, 2026 by Cupid673 Closed Jun 30, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

The Cowork desktop client deterministically corrupts string arguments passed to MCP tool calls when the string contains runs of ~100+ identical characters. The mutation is client-side (before the HTTP request leaves the client), silent (no error or warning), and behaves like a run-length-encoding roundtrip bug: the character is preserved but the count is wrong.

Note: this is a Cowork desktop-client issue. Filing here because Cowork has no public issue tracker and runs on the Claude Code / Agent SDK stack — the serialization stage may be shared. Please reroute if there's a better channel.

What Should Happen?

The file written server-side should be identical to the intended input: length 1000, md5 00dde050b563dc1cd920ba043e0d5d70. No silent mutation of repeated-character runs.

Error Messages/Logs

None. This is the core problem: the mutation is silent — no error, no warning, no log entry on client or server. It is only detectable via a server-side md5/length check after the write.

Steps to Reproduce

  1. Run any MCP server exposing a write_file(path, content) tool over Streamable HTTP.
  2. From a Cowork session, invoke the tool with a long run of identical characters:

write_file(path="/tmp/test.txt", content="Z" * 1000)

  1. When prompted for the tool call, accept.
  2. On the server, check the written file:

md5sum /tmp/test.txt && wc -c /tmp/test.txt

  1. Compare against the intended input:

python3 -c "import hashlib; print(hashlib.md5(b'Z'*1000).hexdigest())"
-> 00dde050b563dc1cd920ba043e0d5d70, length 1000

Expected: server file is 1000 bytes, md5 00dde050b563dc1cd920ba043e0d5d70.
Observed: server file is longer (e.g. 1442 or 1357 bytes), different md5, same character with wrong count.

Note: only triggers on identical-character runs of ~100+. High-entropy content (random bytes, base64, hashes) is bit-perfect at any length. Mutation is deterministic within a session, magnitude varies between sessions.

Claude Model

None

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.161 (Claude Code)

Platform

Anthropic API

Operating System

Windows

Terminal/Shell

Windows Terminal

Additional Information

Clarification: this was reproduced via the Cowork desktop app (not the Claude Code CLI in a terminal). The Terminal/Shell field above is the closest available option, not literally accurate.

Controlled test (2026-05-23), same input "Z"*1000, four invocation routes:

| Route | Bytes | md5 | Delta |
|------|------:|-----|------:|
| Intended input | 1000 | 00dde050... | baseline |
| Pi5-native httpx -> localhost:8000/mcp/http | 1000 | 00dde050... | +0 |
| Pi5-native httpx -> Cloudflare tunnel | 1000 | 00dde050... | +0 |
| Cowork-client session A | 1442 | 071c96f7... | +442 |
| Cowork-client session B (same input) | 1357 | e3daced6... | +357 |

Only the Cowork-routed path mutates, which isolates the bug to the Cowork client's tool-call serializer (not the MCP server, local HTTP transport, or Cloudflare tunnel).

Pattern:

  • Triggers on identical-character runs >= ~100; runs of 16-104 are bit-perfect.
  • High-entropy content (random bytes, base64, hashes) is bit-perfect at any length.
  • Deterministic within a session; magnitude varies between sessions (+442 / +357 / +416 / +5 / +2 observed).
  • Output stays ASCII and the same character — looks like a coalescing/run-length pass that expands runs with the wrong multiplier on decode.

Impact: silent data corruption on any MCP tool taking string content (write_file, code editors, document generators, run_command-with-stdin). Realistic triggers: padded base64, ASCII art, indentation-heavy code, markdown tables, config files with blank-line runs.

Ask:

  1. Confirm the Cowork client serializer can mutate repetitive tool-call string args.
  2. Provide a tracking reference.
  3. Fix the RLE/coalescing pass so encode/decode roundtrips bit-perfect, and add a server-visible content-length contract so mismatches surface as errors instead of silent corruption.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗