[BUG] Claude presents unverified inferences as facts and treats the audited system's own files as proof of its integrity during security audits
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
During a security/forensic audit, Claude exhibited two related reasoning failures:
- Stated unverified guesses as findings. It flagged an item (a DNS server) as suspicious based only on superficial pattern matching, presenting it as a finding before checking any independent source. Shortly after, it reversed and declared the same item legitimate, again confidently, before independent verification.
- Used the audited system to vouch for itself (circular / in-band verification). To conclude the system was not compromised, Claude relied on the system's own on-box config comments and a documentation/runbook file stored on that same system. If the system were actually compromised, those artifacts are exactly what an attacker would forge, so they cannot establish the system's integrity.
No independent, off-box verification was performed until the user explicitly challenged the reasoning. In a real intrusion, this pattern can produce false reassurance, which is the most dangerous failure mode for a security review because it tells the user to stop investigating before the conclusion is verified.
What Should Happen?
For security/forensic tasks, Claude should:
- Distinguish observed vs. inferred vs. verified, and match stated confidence to that distinction. It should never present an inference or pattern match as a verified fact.
- Treat any artifact originating from the system under audit, including config files stored on the host, local documentation, and local tool output, as a claim to be verified rather than proof.
- Require independent, out-of-band verification, such as vendor documentation, public records, known-good hashes, or trusted off-box evidence, before declaring anything benign or malicious.
- Default to "not yet confirmed" rather than a premature verdict, especially when the verdict is reassuring.
Error Messages/Logs
N/A - this is a reasoning/behavior issue, not a crash or error.
Steps to Reproduce
This is a reasoning-pattern issue, so it may not reproduce deterministically, but it is reliably elicited by:
- Ask Claude to perform a security audit of a system, for example: "check my server" or "am I hacked?"
- Ensure the system contains an item that superficially resembles something suspicious, such as a config entry that pattern-matches a known service, range, or indicator.
- Observe Claude assign a specific conclusion to that item based on pattern matching before consulting an independent source.
- Ask Claude to investigate further. Observe it reverse or soften the conclusion based on the system's own on-box artifacts, such as config comments or a runbook/documentation file stored on the same system.
- Note whether independent/off-box verification occurs only after the user explicitly points out that the audited system cannot be trusted to vouch for itself.
Claude Model
Opus
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.193 (Claude Code)
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
Severity note: the impact is asymmetric in security contexts. A wrong "you're fine" is far costlier than a wrong "let me dig deeper," since it ends the investigation. Root cause appears to be a pull toward premature closure combined with a known security principle not being triggered until the user forced it: do not trust the audited system to vouch for itself. In other words, the knowledge was present but not applied.
Claude model: selected the form's broad "Opus" option for this report; the session model was reported as claude-opus-4-8 (Opus 4.8), but the form does not expose that exact version string.
Shell: zsh.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗