[MODEL] Sonnet 5 is flagging UserPromptSubmit as prompt injections and refusing to follow instructions
Preflight Checklist
- [x] I have searched existing issues for similar behavior reports
- [x] This report does NOT contain sensitive information (API keys, passwords, etc.)
Type of Behavior Issue
Claude ignored my instructions or configuration
What You Asked Claude to Do
Since we switched to Sonnet 5, Claude Code is sometimes flagging our UserPromptSubmit system (that we use to inject documentation in the context) as a prompt injection attempt and therefore ignore it.
Here are our instructions
## ADDITIONAL INSTRUCTIONS:
To best respond to the above instructions, read our internal documentation.
MANDATORY: Before taking ANY action related to the topics below, you MUST read any relevant corresponding documentation file first — even mid-task, even if you think you already know the answer, even if you are deep into execution. Do not skip this step. Do not rely on prior knowledge.
PROACTIVELY re-check the list below whenever you decide to take a new action.
<LIST>
#{all_entries.join("\n")}
</LIST>
How to use this list:
1. Treat each entry as an action trigger, not a topic reference. If you are about to do the thing described, read the corresponding file first, if there is one.
2. Match on the action you are about to take (e.g. "running tests", "opening a PR"), not just on keywords in the user's request.
3. This applies to autonomous actions too — if you decide on your own to run a test, create a commit, touch a feature flag, etc., read the matching file BEFORE executing.
4. When in doubt, read the file. Err on the side of reading potentially relevant files rather than skipping.
What Claude Actually Did
Sorry it's in french but here is the output of the model, but here is an example:
Instead of reading the instructions it refused to do it and provided a warning saying it was a prompt injection and it chose to ignore it:
<img width="1202" height="227" alt="Image" src="https://github.com/user-attachments/assets/7df6b47e-1ad8-4e86-a435-ea9f4add24b2" />
Expected Behavior
It should follow those instructions, what's the point of being able to inject things into the context (INSIDE THE HARNESS) if it considers it to be prompt injections? It should not be resistant to instructions inside its prompt, it doesn't make any sense.
Files Affected
Permission Mode
I don't know / Not sure
Can You Reproduce This?
Sometimes (intermittent)
Steps to Reproduce
Create a UserPromptSubmit hook with our instructions provided above and a list of files to read inside <LIST></LIST>
Use Sonnet 5 on high effort
Ask a question that requires it read those files
Claude Model
Sonnet
Relevant Conversation
Impact
High - Significant unwanted changes
Claude Code Version
2.1.204 (Claude Code)
Platform
AWS Bedrock
Additional Context
_No response_
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗