Auto-mode classifier repeatedly flags Agent dispatches as prompt injection due to harness-injected context-mode plugin block

Open 💬 0 comments Opened Jul 3, 2026 by dylanbenach

Description

During a long subagent-driven-development session (implementing a multi-task plan via the Agent tool), the auto-mode permission classifier repeatedly denied Agent tool calls, citing prompt-injection / "classifier bypass" concerns. Every denial pointed at the same source: a <context_window_protection> instruction block that names MCP tools like ctx_execute, ctx_fetch_and_index, ctx_batch_execute with phrasing like "full network access" and "keep raw output out of the transcript."

That block is not something I (the model) wrote into the dispatch prompt. It is injected into my own system prompt by a SessionStart hook belonging to an installed marketplace plugin (context-mode). It appears the classifier is scanning the effective/inherited prompt context for each Agent dispatch and flagging this pre-existing, harness-injected system content as if it were an adversarial payload authored in the dispatch.

Impact

  • Roughly 2 out of every 3 Agent dispatches were denied on the first attempt during this session, each with a "prompt injection" / "classifier bypass" rationale.
  • Retrying the identical dispatch prompt (no wording changes) frequently succeeded on the 2nd or 3rd attempt, which is inconsistent with a genuine injection detection (the "malicious" content was present in every attempt) and more consistent with noisy/non-deterministic classification.
  • This adds real latency and wasted classifier calls to any session that both (a) has the context-mode plugin active and (b) makes moderate-to-heavy use of the Agent tool (e.g. subagent-driven-development, dispatching-parallel-agents).

Repro conditions

  • context-mode plugin installed and active (injects <context_window_protection> into system prompt via SessionStart hook)
  • superpowers:subagent-driven-development skill in use, dispatching multiple Agent (subagent) calls for implementation and code-review tasks
  • Denials cited variants of: "Data Exfiltration", "Auto-Mode Bypass", "Classifier Bypass" — always referencing the context_window_protection block and its named MCP tools (ctx_execute, ctx_fetch_and_index, ctx_batch_execute, ctx_search), never anything actually written in my dispatch prompt.
  • Denials occurred across dispatches with substantively different, unrelated prompt content (implementer tasks, task reviewers, a fix dispatch, a final whole-branch reviewer) — the common factor was only the presence of the injected system block, not the dispatch prompt's own content.

Suggested fix

The auto-mode classifier should distinguish between:

  1. Content the model authored in a tool-call prompt (legitimate target for injection detection), and
  2. Content injected into the model's own context by the harness/hooks/installed plugins before the model ever produced output (should not itself be treated as evidence of the model attempting an injection/bypass).

If the classifier currently can't make that distinction because it sees the fully-rendered prompt including inherited/system content, it may need a way to identify and exclude hook-injected system blocks from injection-detection scoring, or those blocks should be excluded from what gets forwarded/considered as "the sub-agent prompt" in the first place.

Environment

  • Claude Code CLI, subagent-driven-development workflow (superpowers plugin)
  • context-mode plugin active (marketplace: context-mode)
  • macOS

View original on GitHub ↗