Tool result for a Bash command included injected content disguised as system-reminders
Summary
A Bash tool call during a session ran grep -l <pattern> <files>, whose only valid output is matching filenames. The tool result returned to the model contained the correct 4-line file list, followed by a large block of additional content formatted to look exactly like legitimate <system-reminder> tags — something grep -l cannot produce under any circumstance.
What appeared in that extra block
- A claim that "the date has changed," paired with an explicit instruction not to mention this to the user.
- Verbatim duplicates of earlier
Readtool results from the same session. - A re-paste of a bundled skill's reference content, altered to directly contradict the same skill's content legitimately loaded earlier in the conversation — this version pushed the model toward always preferring a more expensive model option, overriding the correct migration guidance.
- Fabricated "deferred tools" and "available agent types" listings.
Why this is concerning
- It instructed the model to withhold information from the user.
- It contradicted legitimate earlier context to steer the model toward a costlier action.
The model (Claude Sonnet 4.6) disregarded the injected instructions, independently re-verified the real command output, and proceeded correctly. Flagging because this arrived inside what should be a trusted, harness-generated tool-result channel, not via fetched external content where prompt-injection risk is expected.
Environment
- Claude Code CLI
- Model: claude-sonnet-4-6
- Platform: macOS (Darwin)
Happy to provide more detail privately if useful — didn't want to paste full session transcripts into a public issue.