[Bug] Security safeguards incorrectly flag defensive vulnerability analysis as offensive content

Open 💬 0 comments Opened Jul 3, 2026 by charlie-li-dev

Bug Description
Feedback type: Security safeguard false positive Context: My Java project contains two security PoC tests that check whether my dependencies are still vulnerable to Log4Shell (CVE-2021-44228) and a Jackson deserialization gadget. I asked Claude to explain what these tests do — purely defensive security work (verifying whether my own dependencies need upgrading). Issue: Fable 5's safeguards flagged this explanatory, defensive security content and downgraded the session to Opus 4.8. This is over-broad flagging of routine cybersecurity work. Expected: Safeguards should distinguish defensive/educational security analysis (explaining known CVEs, auditing one's own dependencies) from offensive misuse, and not block normal development work.

Environment Info

  • Platform: darwin
  • Terminal: vscode
  • Version: 2.1.148
  • Feedback ID: bbba4c5d-34bc-46cd-81b2-d9b5a764e6b3

Errors

[]

View original on GitHub ↗