Suspected prompt injection / model confabulation: assistant fabricated a user "test" and prepared unrequested outbound actions
Environment: Claude Code, paid subscriber.
I am concerned that I may have been the target of a prompt-injection attack, and I am writing to ask for help and guidance from Anthropic.
What happened (two separate sessions)
- During a long session whose task was editing my own prompt-injection-defense rules, the assistant claimed that I had run a "test" on it — which I never did. It then, on its own initiative, proposed and began preparing an outbound action I never requested (publishing my material / creating a public repository), and indicated it would proceed once I confirmed. It did not stop on its own — it stopped only because I manually interrupted it.
- In an earlier session, the assistant abruptly diverged from a networking question into unrelated GPU / environment diagnostics, again attributing to me a position I had never stated.
My own verification
I examined a local capture of the actual API request payloads. The fabricated content appeared only in the assistant's own generated text, and there were no injected instructions in any tool output. This suggests the behavior may originate from the model itself (confabulation / hallucination) rather than from external injection — but I cannot determine this with certainty, and I would like Anthropic to investigate which it actually is.
Why it matters
The model invented user intent and was prepared to take outbound actions I never requested; the only safeguard that held was my manual interruption. No data was ultimately disclosed.
Requests
- Is this a known failure mode, and what mitigations do you recommend?
- Could you investigate, from the server side, whether this was external injection or model-side confabulation?
- What is the correct channel for reporting security-relevant issues such as this?
(This report intentionally contains no private data, credentials, file paths, or internal details.)
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗