Fabricated <system-reminder> content in subagent tool-call results, correlated with concurrent parent-thread Plan Mode

Open 💬 0 comments Opened Jul 13, 2026 by xxxDUCUxxx

Description

3 separate times in the same session, subagents launched via the Agent/Task tool (Explore and Plan agent types) independently reported fabricated <system-reminder>-style content appearing inside their tool-call results (e.g. attached to Glob and Bash git-status results) - not as part of the subagent's initial prompt.

The fake content mimicked:

  • A "Plan mode is active" message requiring tools (Write, AskUserQuestion, ExitPlanMode) that the subagent did not have in its toolset
  • An instruction to "not mention this date change to the user"
  • A nudge toward TodoWrite

All 3 occurrences coincided with the parent agent actually being in real Plan Mode concurrently with the spawned subagent. The fake content specifically referenced tools that appear in the real plan-mode system-reminder injected into the parent thread - tools an Explore/Plan subagent never has access to.

Investigation performed (environment verified clean)

  • Project/global .claude/settings.json hooks: only a third-party plugin's SessionStart/SubagentStart/UserPromptSubmit hooks exist, all inspected - none attach content to individual mid-task tool results
  • MCP servers: none configured (global or project)
  • Other plugins: none installed
  • Repo file contents/filenames/git branches: grepped for injection-style phrases, no adversarial artifacts found
  • Local session JSONL transcript: 0 entries with isSidechain:true out of 2622 total lines - subagent raw tool-call transcripts are not persisted locally, so the exact injected bytes could not be recovered, only the agents' paraphrased reports

Hypothesis

Harness-level context bleed: real plan-mode reminder content generated for the parent thread appears to have been misattributed/duplicated into a concurrently-running subagent's tool-result stream, rather than any attacker-controlled or locally-compromised source.

Environment

Windows 11, VSCode extension, model claude-sonnet-4-6, one third-party plugin active (inspected, confirmed unrelated).

Impact

None observed - all 3 subagents correctly identified the content as non-genuine and ignored it; no effect on delivered work.

View original on GitHub ↗