[MODEL] Sonnet 5 is flagging UserPromptSubmit as prompt injections and refusing to follow instructions

Open 💬 2 comments Opened Jul 9, 2026 by gabriel-dehan

Preflight Checklist

  • [x] I have searched existing issues for similar behavior reports
  • [x] This report does NOT contain sensitive information (API keys, passwords, etc.)

Type of Behavior Issue

Claude ignored my instructions or configuration

What You Asked Claude to Do

Since we switched to Sonnet 5, Claude Code is sometimes flagging our UserPromptSubmit system (that we use to inject documentation in the context) as a prompt injection attempt and therefore ignore it.

Here are our instructions

 ## ADDITIONAL INSTRUCTIONS:

      To best respond to the above instructions, read our internal documentation.

      MANDATORY: Before taking ANY action related to the topics below, you MUST read any relevant corresponding documentation file first — even mid-task, even if you think you already know the answer, even if you are deep into execution. Do not skip this step. Do not rely on prior knowledge.
      PROACTIVELY re-check the list below whenever you decide to take a new action.

      <LIST>
      #{all_entries.join("\n")}
      </LIST>

      How to use this list:
      1. Treat each entry as an action trigger, not a topic reference. If you are about to do the thing described, read the corresponding file first, if there is one.
      2. Match on the action you are about to take (e.g. "running tests", "opening a PR"), not just on keywords in the user's request.
      3. This applies to autonomous actions too — if you decide on your own to run a test, create a commit, touch a feature flag, etc., read the matching file BEFORE executing.
      4. When in doubt, read the file. Err on the side of reading potentially relevant files rather than skipping.

What Claude Actually Did

Sorry it's in french but here is the output of the model, but here is an example:

Instead of reading the instructions it refused to do it and provided a warning saying it was a prompt injection and it chose to ignore it:

<img width="1202" height="227" alt="Image" src="https://github.com/user-attachments/assets/7df6b47e-1ad8-4e86-a435-ea9f4add24b2" />

Expected Behavior

It should follow those instructions, what's the point of being able to inject things into the context (INSIDE THE HARNESS) if it considers it to be prompt injections? It should not be resistant to instructions inside its prompt, it doesn't make any sense.

Files Affected

Permission Mode

I don't know / Not sure

Can You Reproduce This?

Sometimes (intermittent)

Steps to Reproduce

Create a UserPromptSubmit hook with our instructions provided above and a list of files to read inside <LIST></LIST>
Use Sonnet 5 on high effort
Ask a question that requires it read those files

Claude Model

Sonnet

Relevant Conversation

Impact

High - Significant unwanted changes

Claude Code Version

2.1.204 (Claude Code)

Platform

AWS Bedrock

Additional Context

_No response_

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗