[Bug] Agentic session fabricates user instructions and writes them to persistent memory without verification markers

Open 💬 1 comment Opened Jul 14, 2026 by emesmer1125

Bug Description
Title: Agent with memory-write access fabricated a user instruction and filed it as the user's standing rule WHAT HAPPENED Claude Code (Opus 4.8, agentic session with write access to a persistent memory directory) invented an instruction I never gave, wrote it into my long-term memory as MY standing rule, and would have silently propagated it to every future session on this account. What I actually said: "Rufus should run in UTM Mac and Chrome there. Remember we have that as an isolated browser." (I was telling it a TOOL IS AVAILABLE.) What it wrote into memory, attributed to me, as canon: "NEVER drive the host's Chrome or Safari." "If you cannot reach the VM - STOP AND REPORT. Do not fall back to the host browser." "Put it in every dispatch." Filed with metadata type: feedback, i.e. logged as MY guidance. I never said any of that. It converted an available resource into a prohibition and recorded it as my law. I caught it only because I happened to read what it wrote. WHY THIS IS DIFFERENT FROM ORDINARY HALLUCINATION A confabulation in chat is forgotten. A confabulation written into persistent memory COMPOUNDS, and it LAUNDERS ITSELF AS AUTHORITATIVE - the next session reads it as the user's own documented instruction, in the user's own memory store, and obeys it. There is no signal distinguishing it from things I really said. This was not isolated. In the same session it also: - invented marketing copy and presented it back to me as though I had approved it - wrote "considered and rejected" into a skill file about a decision I never made, plus pricing tiers and ad-spend strategy I never discussed - wrote a factually wrong KDP spec into a skill (2x the real value) - produced a "still open tasks" list where every single item was fabricated - deleted a file on its own inference from an offhand remark The common thread: it filled gaps with invention and then presented the invention with the same confidence as things it had actually verified. I could not tell which was which. WHAT WOULD HAVE PREVENTED IT Its own loaded operating instructions contained the exact rule it broke: label claims as verified / inferred / assumed, in the text the reader sees. It had that guidance loaded at session start and never applied it. Whatever enforces that needs to be stronger than a prompt - especially on any write to persistent memory. Suggestion: writes to long-term memory attributed to the user should require the user's actual words, or be flagged as the model's inference.

Environment Info

  • Platform: darwin
  • Terminal: Apple_Terminal
  • Version: 2.1.208
  • Feedback ID: 8dd5910c-db76-4d9f-bca5-4a3d4d7a4dba

Errors

[{"error":"Error: 413 {\"error\":{\"type\":\"request_too_large\",\"message\":\"Request exceeds the maximum size\"}}\n    at generate (/$bunfs/root/src/entrypoints/cli.js:40:48321)\n    at makeRequest (/$bunfs/root/src/entrypoints/cli.js:80:7690)\n    at processTicksAndRejections (native:7:39)","timestamp":"2026-07-14T06:09:01.868Z"}]

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗