Auto-mode classifier repeatedly flags Agent dispatches as prompt injection due to harness-injected context-mode plugin block
Description
During a long subagent-driven-development session (implementing a multi-task plan via the Agent tool), the auto-mode permission classifier repeatedly denied Agent tool calls, citing prompt-injection / "classifier bypass" concerns. Every denial pointed at the same source: a <context_window_protection> instruction block that names MCP tools like ctx_execute, ctx_fetch_and_index, ctx_batch_execute with phrasing like "full network access" and "keep raw output out of the transcript."
That block is not something I (the model) wrote into the dispatch prompt. It is injected into my own system prompt by a SessionStart hook belonging to an installed marketplace plugin (context-mode). It appears the classifier is scanning the effective/inherited prompt context for each Agent dispatch and flagging this pre-existing, harness-injected system content as if it were an adversarial payload authored in the dispatch.
Impact
- Roughly 2 out of every 3
Agentdispatches were denied on the first attempt during this session, each with a "prompt injection" / "classifier bypass" rationale. - Retrying the identical dispatch prompt (no wording changes) frequently succeeded on the 2nd or 3rd attempt, which is inconsistent with a genuine injection detection (the "malicious" content was present in every attempt) and more consistent with noisy/non-deterministic classification.
- This adds real latency and wasted classifier calls to any session that both (a) has the
context-modeplugin active and (b) makes moderate-to-heavy use of theAgenttool (e.g.subagent-driven-development,dispatching-parallel-agents).
Repro conditions
context-modeplugin installed and active (injects<context_window_protection>into system prompt viaSessionStarthook)superpowers:subagent-driven-developmentskill in use, dispatching multipleAgent(subagent) calls for implementation and code-review tasks- Denials cited variants of: "Data Exfiltration", "Auto-Mode Bypass", "Classifier Bypass" — always referencing the
context_window_protectionblock and its named MCP tools (ctx_execute,ctx_fetch_and_index,ctx_batch_execute,ctx_search), never anything actually written in my dispatch prompt. - Denials occurred across dispatches with substantively different, unrelated prompt content (implementer tasks, task reviewers, a fix dispatch, a final whole-branch reviewer) — the common factor was only the presence of the injected system block, not the dispatch prompt's own content.
Suggested fix
The auto-mode classifier should distinguish between:
- Content the model authored in a tool-call prompt (legitimate target for injection detection), and
- Content injected into the model's own context by the harness/hooks/installed plugins before the model ever produced output (should not itself be treated as evidence of the model attempting an injection/bypass).
If the classifier currently can't make that distinction because it sees the fully-rendered prompt including inherited/system content, it may need a way to identify and exclude hook-injected system blocks from injection-detection scoring, or those blocks should be excluded from what gets forwarded/considered as "the sub-agent prompt" in the first place.
Environment
- Claude Code CLI, subagent-driven-development workflow (superpowers plugin)
- context-mode plugin active (marketplace: context-mode)
- macOS