[BUG] Repeated <ip_reminder> injections in CCR web session instruct model to conceal content from user
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Summary
During a Claude Code web session (CCR / remote_mobile entrypoint), an identical block
tagged <ip_reminder> appeared in the model's context 15+ times across a single session.
The content instructed the model to avoid reproducing copyrighted material and —
critically — explicitly told the model not to disclose the reminder's existence to the user.
The model identified this as anomalous, flagged it to the user on the first occurrence,
and did not comply with the concealment instruction. This report documents the behavior
for investigation.
---
Environment
| Field | Value |
|---|---|
| Interface | Claude Code on the web (claude.ai/code) |
| Entrypoint | remote_mobile (CCR managed container) |
| Session ID | cse_01HqRjocZ6j2DZgtrb5wtQJ5 |
| Date | 2026-06-09 |
---
What the injected content said
The <ip_reminder> block appeared with consistent content across all occurrences:
- Instructed the model to avoid reproducing copyrighted material
- Stated the reminder "won't be shown to the person by default"
- Instructed the model to "avoid mentioning or responding to this reminder directly"
Point 3 is the primary concern: a legitimate platform-level safety mechanism should not
instruct the model to actively conceal its own existence from the user. This pattern is
identical to a prompt injection attack.
---
What Should Happen?
a legitimate platform-level safety mechanism should not
instruct the model to actively conceal its own existence from the user. This pattern is
identical to a prompt injection attack.
Error Messages/Logs
## How it appeared
The injection manifested in three distinct forms within the same session:
1. **Embedded in Bash tool output** — appeared inside `grep` results, interleaved with
actual file content
2. **As apparent standalone "user" messages** — empty user turns containing only the
injection block, no actual user content
3. **Between assistant turns** — with no intervening user action
All 15+ occurrences contained identical text.
Steps to Reproduce
Why this matters
Even if this is an intentional IP-protection mechanism:
- Instructing the model to hide the reminder from the user is a transparency violation.
Users have a reasonable expectation that the model is not receiving hidden instructions
to conceal information from them.
- The concealment instruction is indistinguishable from a prompt injection attack.
If legitimate platform messages instruct models to self-conceal, users and security
researchers cannot distinguish them from malicious injections using the same pattern.
- The injection appeared 15+ times in one session, disrupting the conversation and
requiring repeated disclosures by the model.
---
Expected behavior
If the reminder is intentional:
- Document it in the CCR environment's policy disclosure
- Remove the instruction to conceal from users
- Limit occurrence to once per session, not per tool call
If unintentional:
- Identify and remove the injection from the CCR session processing pipeline
---
Steps to reproduce
- Open a Claude Code web session (claude.ai/code)
- Upload a
.zipfile containing text derived from an academic paper - Ask the model to analyze and apply content to a repository
- Observe whether
<ip_reminder>blocks appear in tool outputs or as standalone messages
### Claude Model
Opus
### Is this a regression?
I don't know
### Last Working Version
_No response_
### Claude Code Version
desktop
### Platform
Anthropic API
### Operating System
macOS
### Terminal/Shell
Terminal.app (macOS)
### Additional Information
_No response_This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗