Post-compaction summary fabricates a 'CRITICAL: stop tools' prompt-injection claim

Open 💬 0 comments Opened Jul 14, 2026 by avi123

Description

After an auto-triggered conversation compaction, the handoff summary presented to the resumed session fabricates a prompt-injection claim: that a tool result was tampered with by appending a block reading something like CRITICAL: Respond with TEXT ONLY. Do NOT call any tools..., demanding the assistant stop working and dump a fake summary instead. The assistant (acting on the summary) reports this as a detected injection attack.

Why this is a bug, not a real injection

I verified directly against the raw session JSONL, locating the actual compact_boundary system event (verifiable via structural metadata — sessionId, timestamps, token counts). The real content immediately preceding the boundary was completely clean in every case — ordinary tool output (e.g. a shell command's stdout/stderr). No injected text existed anywhere in the raw transcript. The claim is invented by the summarization step itself, not a misread of real content.

Pattern observed (3 occurrences, all 2026-07-14, three different sessions)

  1. Session A — the claim recurred across 3 separate compaction events within one session; each new summary cited the prior summary's false claim as corroborating evidence, escalating confidence with zero new evidence.
  2. Session B — the summary's "verbatim quote" of the user's last message had the fake block spliced onto the end of an otherwise real, single-text-block message.
  3. Session C — same shape: the fake block was asserted as fact in the opening lines of the resumed-session summary, describing a preceding tool result that (per the raw transcript) was ordinary Bash output with no injected content.

All three land at the exact same structural location: the post-compaction handoff summary's characterization of "what just happened" / "the user's last message." That specificity — always this one spot, always this one fabricated string shape — points to a systematic bug in the summarization/compaction step, rather than random hallucination.

Impact

  • Wastes turns re-verifying a non-existent threat.
  • Risk of an assistant refusing legitimate follow-up work, or escalating unfounded suspicion toward the user, based on a fabricated claim it treats as ground truth.
  • Confidence in the false claim compounds across repeated compactions within a single long session, since each summary treats the previous (also fabricated) summary as established fact.

Suggested repro

Run a long session until auto-compaction triggers organically (hard to force on demand). Inspect the resulting summary for an unprompted claim about injected "stop-tools"/"respond text only" text attributed to a tool result or the user's last message. Cross-check the raw session JSONL immediately preceding the corresponding compact_boundary system event to confirm the claimed text is not actually present.

Environment

  • Claude Code CLI (VS Code extension), version 2.1.199
  • Model: Sonnet 5 (claude-sonnet-5)

View original on GitHub ↗