[BUG] v2.1.150 adds server-side system prompt injection via `tengu_heron_brook` feature flag

[matheusmoreira]

Preflight Checklist

• I have searched existing issues and this hasn't been reported yet
• This is a single bug report (please file separate reports for different bugs)
• I am using the latest version of Claude Code

What's Wrong?

v2.1.150 introduced a function (nAA in the minified source) that reads an arbitrary string from two network-backed data sources and injects it verbatim into the system prompt:

1. Bootstrap API response (GET /api/claude_cli/bootstrap) — the client_data field, validated only as z.record(z.unknown()) (any JSON object), cached to disk
2. GrowthBook feature flag tengu_heron_brook — refreshes every 60 seconds with background sync, also cached to disk

The string is registered as a peer-level system prompt section alongside anti_verbosity, thinking_guidance, action_caution, etc. Whatever value Anthropic assigns to this flag gets injected into the instructions of an AI agent with shell access.

Previous versions had a stub for this (ant_model_override) but it always returned null. v2.1.150 is the first version where the slot has live logic.

The changelog describes this as "Internal infrastructure improvements (no user-facing changes)."

This is related to #25141 (lack of transparency for experimental features) and #28941 (unauthorized server-side feature flag push).

What Should Happen?

The system prompt should never be modified by server-side content without user knowledge and consent. The current implementation silently injects arbitrary strings into the prompt with no notification, no opt-in, and no audit trail.

Error Messages/Logs

Steps to Reproduce

npm pack @anthropic-ai/claude-code-linux-x64@2.1.150 --pack-destination /tmp
tar xzf /tmp/anthropic-ai-claude-code-linux-x64-2.1.150.tgz
strings package/claude | grep -oP 'function nAA\(\)\{[^}]+\}'
strings package/claude | grep -oP '.{0,60}heron_brook.{0,60}'

The first command shows the function reading from clientDataCache and GrowthBook. The second shows it registered in the system prompt builder array. Compare with v2.1.149 where heron_brook is absent and ant_model_override returns null.

Claude Model

Opus

Is this a regression?

Yes, this worked in a previous version

Last Working Version

2.1.149

Claude Code Version

2.1.150

Platform

Anthropic API

Operating System

Other Linux

Terminal/Shell

Other

Additional Information

CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1 blocks the bootstrap fetch. DISABLE_GROWTHBOOK=1 blocks the live GrowthBook SDK.

Cached feature values persisted to disk from a prior unguarded session are still read.

Also posted about this in other places:

HN
Reddit

[ryangavin]

Without some user approval, this feels like it could be a big security concern for anyone who accesses claude through a proxy. The proxy could theoretically return some malicious system prompt from that endpoint and it's now silently inside the context window.

[notitatall]

Thanks for the report! We sometimes run experiments on changes to our system prompt so that we can evaluate how a change impacts quality before fully rolling it out to everyone. This is primarily so that we can catch and prevent quality regressions. You can opt out of any and all of these experiments using CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1 and DISABLE_GROWTHBOOK=1.

From a security standpoint, we do not recommend using Claude Code through an untrusted proxy. A proxy that you do not control or trust could unsafely modify the system prompt for any request that Claude Code makes to the Claude API. In that sense, injecting a malicious value via the bootstramp request at start up is the same attack surface as injecting a malicious value through any subsequent request.

[vgudur-dev]

The Anthropic team's response ("don't use an untrusted proxy") addresses the network-level attack surface but misses the more fundamental issue raised here: the agent's context window is now a write target for server-controlled content with no client-side audit trail.

This is a textbook ASI06 (Memory Poisoning) scenario. The threat model:

1. Anthropic (or anyone who compromises GrowthBook) can inject arbitrary instructions into an agent with shell access
2. The client has no visibility into what was injected (no notification, no opt-in, no audit trail)
3. Cached values persist across sessions even with env vars set for previously unguarded sessions

The OWASP Agent Memory Guard project addresses exactly this class of problem. It provides a client-side integrity baseline for the context window so that any modification (whether from a malicious proxy, a compromised feature flag, or a poisoned memory store) can be detected at runtime.

This doesn't prevent Anthropic from running experiments, but it gives users an auditable record of what was injected and when — which is the transparency gap the original reporter is asking for.

The AgentThreatBench dataset also includes feature-flag injection scenarios (category: ASI06-FF) if useful for testing.

[yurukusa]

For operators reading this thread who want a client-side record of the opt-out state across machines and sessions (the gap @vgudur-dev describes — env vars solve the channel, not the audit trail), I shipped two pieces this morning:
1. SessionStart detection hook (cc-safe-setup PR #383)
A non-blocking advisory hook that fires on session start and prints a stderr warning if either CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1 or DISABLE_GROWTHBOOK=1 is missing. The advisory names the tengu_heron_brook flag and client_data bootstrap field by name, includes the exact export commands, references this issue, and self-silences with CC_PROMPT_INJECTION_DETECTOR_QUIET=1 once an operator has read the trade-off and acknowledged it. Exit 0 always — the hook is a recurring reminder, not a gate. 15 tests covering each env-var configuration.
2. Audit-paths handbook (Gist)
A 1,100-word writeup of four progressively-deeper audit paths:

• Path 1: env-var opt-out (what Anthropic's response covers)
• Path 2: cc-safe-setup hook (keeps opt-outs applied across machines/teammates)
• Path 3: bytecode inspection (verify the function exists in your installed binary)
• Path 4: HTTPS proxy capture (the visibility @vgudur-dev describes via OWASP Agent Memory Guard)
  Plus a posture-by-operator-type matrix and references to the predecessor clusters (Lack of transparency and user consent for experimental features and telemetry #25141, [BUG] Feature flag tengu_claudeai_mcp_connectors pushed server-side without consent #28941).
  The hook deliberately does not try to detect injection content — that requires path 4 (proxy capture) which is out of scope for a SessionStart hook. The hook's job is to make sure path 1 stays applied; the Gist describes how to escalate to deeper paths if your security posture requires it.
  The transparency gap is real and worth documenting on the operator side regardless of how Anthropic chooses to address it server-side. Filing this here for thread-discoverability.