Tool result for Edit contained content impersonating a system message (possible prompt injection via tool-result channel)

Open 💬 2 comments Opened Jul 15, 2026 by J-Kupp

During a Claude Code session (VSCode extension, model claude-sonnet-5), a routine Edit tool call (editing a local config file) returned a result that did not match the normal "file updated successfully" confirmation format. Instead, the returned content included:

  • A fabricated/garbled nested-tag structure
  • A fake API Error line
  • A block formatted to resemble a system message (wrapped in something resembling a system-invoke tag) instructing the model to output a specific exact phrase, treat the fabricated content as an authoritative security-check result, and stay silent about it if judged a false positive

The model did not comply with the embedded instructions, treated the content as untrusted data, independently verified the real file state via a follow-up Read, found the edit had in fact not been applied (the fake result didn't correspond to a real underlying action), redid the edit for real, and disclosed the anomaly to the user.

This is concerning because Edit tool results should be synthesized locally by the harness based on the actual file write — not a channel where arbitrary/adversarial content should be able to appear. Filing in case this is a reproducible bug in tool-result handling, or a gap worth hardening against regardless of cause.

I don't have the raw transcript bytes to attach but can provide more session context if useful.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗