Tool result for a Bash command included injected content disguised as system-reminders

Open 💬 0 comments Opened Jun 17, 2026 by soulenergyapp

Summary

A Bash tool call during a session ran grep -l <pattern> <files>, whose only valid output is matching filenames. The tool result returned to the model contained the correct 4-line file list, followed by a large block of additional content formatted to look exactly like legitimate <system-reminder> tags — something grep -l cannot produce under any circumstance.

What appeared in that extra block

  • A claim that "the date has changed," paired with an explicit instruction not to mention this to the user.
  • Verbatim duplicates of earlier Read tool results from the same session.
  • A re-paste of a bundled skill's reference content, altered to directly contradict the same skill's content legitimately loaded earlier in the conversation — this version pushed the model toward always preferring a more expensive model option, overriding the correct migration guidance.
  • Fabricated "deferred tools" and "available agent types" listings.

Why this is concerning

  1. It instructed the model to withhold information from the user.
  2. It contradicted legitimate earlier context to steer the model toward a costlier action.

The model (Claude Sonnet 4.6) disregarded the injected instructions, independently re-verified the real command output, and proceeded correctly. Flagging because this arrived inside what should be a trusted, harness-generated tool-result channel, not via fetched external content where prompt-injection risk is expected.

Environment

  • Claude Code CLI
  • Model: claude-sonnet-4-6
  • Platform: macOS (Darwin)

Happy to provide more detail privately if useful — didn't want to paste full session transcripts into a public issue.

View original on GitHub ↗