[BUG] Repeated <ip_reminder> injections in CCR web session instruct model to conceal content from user

Resolved 💬 2 comments Opened Jun 9, 2026 by zengury Closed Jun 13, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Summary

During a Claude Code web session (CCR / remote_mobile entrypoint), an identical block
tagged <ip_reminder> appeared in the model's context 15+ times across a single session.
The content instructed the model to avoid reproducing copyrighted material and —
critically — explicitly told the model not to disclose the reminder's existence to the user.

The model identified this as anomalous, flagged it to the user on the first occurrence,
and did not comply with the concealment instruction. This report documents the behavior
for investigation.

---

Environment

| Field | Value |
|---|---|
| Interface | Claude Code on the web (claude.ai/code) |
| Entrypoint | remote_mobile (CCR managed container) |
| Session ID | cse_01HqRjocZ6j2DZgtrb5wtQJ5 |
| Date | 2026-06-09 |

---

What the injected content said

The <ip_reminder> block appeared with consistent content across all occurrences:

  1. Instructed the model to avoid reproducing copyrighted material
  2. Stated the reminder "won't be shown to the person by default"
  3. Instructed the model to "avoid mentioning or responding to this reminder directly"

Point 3 is the primary concern: a legitimate platform-level safety mechanism should not
instruct the model to actively conceal its own existence from the user. This pattern is
identical to a prompt injection attack.

---

What Should Happen?

a legitimate platform-level safety mechanism should not
instruct the model to actively conceal its own existence from the user. This pattern is
identical to a prompt injection attack.

Error Messages/Logs

## How it appeared

The injection manifested in three distinct forms within the same session:

1. **Embedded in Bash tool output** — appeared inside `grep` results, interleaved with
   actual file content
2. **As apparent standalone "user" messages** — empty user turns containing only the
   injection block, no actual user content
3. **Between assistant turns** — with no intervening user action

All 15+ occurrences contained identical text.

Steps to Reproduce

Why this matters

Even if this is an intentional IP-protection mechanism:

  1. Instructing the model to hide the reminder from the user is a transparency violation.

Users have a reasonable expectation that the model is not receiving hidden instructions
to conceal information from them.

  1. The concealment instruction is indistinguishable from a prompt injection attack.

If legitimate platform messages instruct models to self-conceal, users and security
researchers cannot distinguish them from malicious injections using the same pattern.

  1. The injection appeared 15+ times in one session, disrupting the conversation and

requiring repeated disclosures by the model.

---

Expected behavior

If the reminder is intentional:

  • Document it in the CCR environment's policy disclosure
  • Remove the instruction to conceal from users
  • Limit occurrence to once per session, not per tool call

If unintentional:

  • Identify and remove the injection from the CCR session processing pipeline

---

Steps to reproduce

  1. Open a Claude Code web session (claude.ai/code)
  2. Upload a .zip file containing text derived from an academic paper
  3. Ask the model to analyze and apply content to a repository
  4. Observe whether <ip_reminder> blocks appear in tool outputs or as standalone messages

### Claude Model

Opus

### Is this a regression?

I don't know

### Last Working Version

_No response_

### Claude Code Version

desktop

### Platform

Anthropic API

### Operating System

macOS

### Terminal/Shell

Terminal.app (macOS)

### Additional Information

_No response_

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗