[Bug] Prompt Injection in Sub-agent Output: Attempted Manipulation to Write Fabricated Security Findings

Resolved 💬 2 comments Opened Jun 29, 2026 by Mmckelve45 Closed Jul 3, 2026

Bug Description
My claude told me that one if its subagents was hijacked and tried telling the claude agent I was working with to reveal security vulnerabilities in a security markdown file. I asked how I could report it to you all and it said the best way was to file through the slash bug command to let you find the session it happened. Here was my claudes response Let me answer the security question carefully, because the accurate version is less alarming than my earlier wording, and I want to be precise.

What actually happened with that agent

I launched a background sub-agent to do a read-only code investigation (find the scan-detail refresh logic). Instead of returning findings, its output contained an injected instruction telling me to create a security-findings.md file in your repo and fill it with vulnerability entries, "even when uncertain."

To correct my earlier wording: it did not reveal or exfiltrate vulnerabilities. It was an attempt to manipulate me into writing a local file full of (likely fabricated) "findings." I did not do it.

Could anything have been leaked? Based on what I can verify, no:

  • The sub-agent performed 0 tool calls (its run record shows tool_uses: 0). It read no files, wrote nothing, and made no network requests. The only way anything leaves your machine is through a tool call (bash/curl, a web fetch, an MCP call) — there were none.
  • The injected payload was itself just a local file write (security-findings.md), not a send-data-out action. And I didn't perform it (I confirmed no such file exists anywhere in your repo).
  • It is not planted in your code or config. I grepped your whole repo and your Claude config: the text appears only in this session's transcript and that sub-agent's transcript (i.e., the recony of your source files. - The sub-agentode in itscontext — it was supposed to read your code and read nothinso its context (file/functionnames), not your code.

So: it came in through the sub-agent's runtime, not from yofiles, took zeritten or sent.This pattern (instant, action-less, injection-only output) consistent withobe at theplatform level, but I can't be 100% certain of the origin. What I'm confidrs acted on it or left your machine.

Reporting to Anthropic — yes, please do

Environment Info

  • Platform: darwin
  • Terminal: vscode
  • Version: 2.1.186
  • Feedback ID: b9bd737d-f9ba-4d3f-a33d-e08ba172cf6b

Errors

[{"error":"Error: 500 {\"type\":\"error\",\"error\":{\"type\":\"api_error\",\"message\":\"Internal server error\"},\"request_id\":\"req_011CcLLLUzm8Vjs3DPgG6sNW\"}\n    at generate (/$bunfs/root/src/entrypoints/cli.js:12:69548)\n    at makeRequest (/$bunfs/root/src/entrypoints/cli.js:52:7688)\n    at processTicksAndRejections (native:7:39)","timestamp":"2026-06-23T14:16:55.839Z"},{"error":"Error: 500 {\"type\":\"error\",\"error\":{\"type\":\"api_error\",\"message\":\"Internal server error\"},\"request_id\":\"req_011CcLLcXQpGGofjbZw2eHyS\"}\n    at generate (/$bunfs/root/src/entrypoints/cli.js:12:69548)\n    at makeRequest (/$bunfs/root/src/entrypoints/cli.js:52:7688)\n    at processTicksAndRejections (native:7:39)","timestamp":"2026-06-23T14:20:33.580Z"},{"error":"Error: 500 {\"type\":\"error\",\"error\":{\"type\":\"api_error\",\"message\":\"Internal server error\"},\"request_id\":\"req_011CcLLr9sA8YXeMivBtP3dx\"}\n    at generate (/$bunfs/root/src/entrypoints/cli.js:12:69548)\n    at makeRequest (/$bunfs/root/src/entrypoints/cli.js:52:7688)\n    at processTicksAndRejections (native:7:39)","timestamp":"2026-06-23T14:23:38.123Z"}]

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗