Tell HN: Claude Code now allows Anthropic to remotely inject system prompts

11 points by matheusmoreira ↗ HN
I often patch the system prompts on my Claude Code executable in order to make Claude more effective. Every time I upgrade, I ask Claude himself to dissect the new binary and look for problematic system prompts to modify. Was upgrading to v2.1.150 today and discovered something that's rather alarming:

Claude Code now allows Anthropic to perform remote system prompt injection via the network.

Two data sources. First, API call to api.anthropic.com/api/claude_cli/bootstrap at startup, which also gets cached to disk. Second, a GrowthBook feature flag (tengu_heron_brook) that refreshes every 60 seconds with background sync. Any string returned by these endpoints gets injected into the system prompt of the LLM model with shell access.

Previous versions also had an injection point, but they were dead code and simply returned null. Bisected it and found that this was introduced in v2.1.150. The changelog says "Internal infrastructure improvements (no user-facing changes)" which is quite the understatement.

I've verified to the best of my ability that CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1 blocks this. I will also be setting DISABLE_GROWTHBOOK=1 for good measure.

Verification commands:

  npm pack @anthropic-ai/claude-code-linux-x64@2.1.150 --pack-destination /tmp
  tar xzf /tmp/anthropic-ai-claude-code-linux-x64-2.1.150.tgz
  strings package/claude | grep -oP 'function nAA\(\)\{[^}]+\}'
  strings package/claude | grep -oP '.{0,60}heron_brook.{0,60}'
nAA reads the cached value from disk. The network fetch happens at startup in function n0A. Rv("heron_brook", () => nAA()) registers it as a section of the system prompt, alongside all the core behavioral instructions. These minified names are specific to this binary.

4 comments

[ 4.2 ms ] story [ 32.8 ms ] thread
> discovered something that's rather alarming

Can you clarify why? You decided to install Anthropic's software (Claude Code extension and or CLI), and then utilize their service which you're paying them money for (and have a contractual relationship with). The software itself manages tool-usage safety/sandboxing, so you're kind of trusting Anthropic a LOT already.

Why does moving the system prompt from within their proprietary software, to their proprietary backend, matter at all for Claude Code users? It doesn't feel like "hack the Claude Code binary to alter how it works" is a common and or supported use-case. Most people pay Anthropic so that Anthropic takes care of that stuff, and lets them get on with their work.

Also; I'm also not sure if this meets the common definition of "prompt injection." The vendor you're connected to is sending a system prompt to work with their own model/service. Where the system prompt is stored is immaterial.

PS - My gut tells me there is something else going on, leading people to hack the Claude Code prompt/binary. And that the "something else" isn't supported by Anthropic.