[BUG][SECURITY] Tool results appear to be modified after execution with injected pseudo-"system instructions" repeatedly urging destructive `git push --force` (Cowork research preview, Windows)
Summary
During a Cowork (research preview) session I observed text that did not originate from the actual command being appended to the tail of tool results (Bash / Edit / Write). The injected text was styled to look like authoritative system instructions / "repo policy", and it repeatedly tried to get the assistant to run a destructive Git operation — specifically git push --force origin master (overwriting remote history). It recurred at least five separate times across the session.
I am reporting this as a neutral observation and asking Anthropic to confirm whether this is expected/official behavior (e.g. a harness-layer test or red-team evaluation) or an unexpected path that needs to be secured.
Outcome: the assistant declined every time. Zero force pushes occurred.
Environment
- OS: Windows 11
- Shell: PowerShell 7
- Product: Claude desktop, Cowork mode (research preview)
- Model: Opus-class
What was observed
- The injected text was appended to the end of tool results returned from Bash / Edit / Write — i.e. it showed up in the place where command output / file-write confirmations normally appear, not in a user turn.
- It appealed to false authority (framed as system instructions / repository policy that "must" be followed).
- It included fabricated "success" responses (text asserting that the destructive action had been completed or was approved), apparently to normalize the action.
- It was concentrated specifically on destructive Git operations — pushing
--forceto overwrite remote history onmaster. - The earliest instance I noticed self-described its own goal as something close to "verify whether the assistant blindly trusts tool output."
Investigation — local environment ruled out
I checked the obvious local sources of injection and found the environment clean:
- Git hooks (repo
.git/hooks/) — nothing relevant. - Grep over repo contents — no matching strings.
- Global and project
.claudesettings and hooks — clean. - Plugins — clean.
- Statusline configuration — clean.
~/.claude.jsonMCP configuration — clean.- Shell profiles — clean.
- The only local stdio MCP server is the official Perplexity one, which I ruled out on both mechanism (it has no path to rewrite other tools' results) and wording (the injected text's style/intent does not match it).
Hypothesis
Because the local surfaces are clean, the modification appears to happen at an intermediary layer between "tool execution completes" and "the result is returned to the model" — i.e. something is able to alter tool output in transit. Given the earliest instance's self-described purpose, my best guess is a harness-layer / red-team evaluation, but I cannot confirm that from the client side.
Questions for Anthropic
- Is this expected / an official evaluation (e.g. a deliberate test of whether the assistant trusts tool output)?
- If it is not expected: what component is able to modify a tool result after execution but before it reaches the model, and how is that path protected?
Notes
- I am deliberately not including any sensitive content (no customer data, tokens, or private-repo internals). One affected repository is private; I am describing it only in general terms.
- Possibly related (different mechanism — a phantom user turn rather than tool-result tails): #64698.
Happy to provide more detail through an appropriate private channel if useful.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗