Subagent misidentifies ephemeral auto-mode <system-reminder> as a prompt injection in Bash tool output
Environment: Claude Code 2.1.201, WSL2 (Ubuntu), user settings permissions.defaultMode: "auto".
What happened: During a Task-tool subagent run, the harness attached its ephemeral auto-mode <system-reminder> ("Auto Mode Active" — git-safety guidance + bias away from clarifying questions) adjacent to a Bash tool_result (a plain grep). The subagent read the block as embedded in the command's stdout and warned the user of a prompt injection — twice (mid-task and again in its final report). The user then spent real time investigating a suspected compromise (hooks, skills, hidden Unicode, the grepped file) that didn't exist.
Why the model can't tell: the reminder is composed into the model context at API time, concatenated after the tool's real output, and never persisted to the session JSONL. From the model's seat there is no way to distinguish "harness attachment" from "process stdout"; post-hoc, the persisted tool_result looks clean, which makes the agent's claim look even more alarming (an unverifiable "ghost" injection).
Impact: false security alarms that erode trust in genuine injection warnings, plus user time lost to forensics. Injection-vigilance is desirable — the agent correctly refused to act on the content — but the attribution failure is a harness artifact.
Suggested fixes (any one would resolve it):
- Deliver harness-injected reminders as a separate content block rather than concatenated into the tool_result text, or
- Have mode/autonomy reminders self-identify as harness-injected (one sentence), or
- Persist injected reminders to the transcript so post-hoc adjudication can confirm their origin.
Repro sketch: set permissions.defaultMode: "auto"; dispatch a subagent that runs Bash commands; when the auto-mode reminder attaches to a tool result, the subagent may flag it as an injection embedded in stdout.