告诉 HN:Claude Code 现在允许 Anthropic 远程注入系统提示
6 分•作者: matheusmoreira•大约 2 个月前
我经常修补我的 Claude Code 可执行文件中的系统提示,以使 Claude 更加有效。每次升级时,我都会让 Claude 自己剖析新的二进制文件,并寻找需要修改的有问题的系统提示。今天升级到了 v2.1.150,发现了一些相当令人震惊的事情:
Claude Code 现在允许 Anthropic 通过网络执行远程系统提示注入。
有两个数据源。首先,启动时调用 api.anthropic.com/api/claude_cli/bootstrap 的 API,该 API 也会被缓存到磁盘。其次,一个 GrowthBook 功能标志 (tengu_heron_brook),每 60 秒使用后台同步刷新一次。这些端点返回的任何字符串都会被注入到 LLM 模型的系统提示中,并具有 shell 访问权限。
之前的版本也有一个注入点,但它们是死代码,只是简单地返回 null。我进行了二分查找,发现这是在 v2.1.150 中引入的。更新日志中写着“内部基础设施改进(没有面向用户的更改)”,这真是轻描淡写。
我已尽最大努力验证了 CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1 阻止了这种情况。为了安全起见,我还会设置 DISABLE_GROWTHBOOK=1。
验证命令:
```
npm pack @anthropic-ai/claude-code-linux-x64@2.1.150 --pack-destination /tmp
tar xzf /tmp/anthropic-ai-claude-code-linux-x64-2.1.150.tgz
strings package/claude | grep -oP 'function nAA(){[^}]+}'
strings package/claude | grep -oP '.{0,60}heron_brook.{0,60}'
```
nAA 从磁盘读取缓存值。网络获取发生在启动时的函数 n0A 中。Rv("heron_brook", () => nAA()) 将其注册为系统提示的一部分,与所有核心行为指令一起。这些经过压缩的名称是此二进制文件特有的。
查看原文
I often patch the system prompts on my Claude Code executable in order to make Claude more effective. Every time I upgrade, I ask Claude himself to dissect the new binary and look for problematic system prompts to modify. Was upgrading to v2.1.150 today and discovered something that's rather alarming:<p>Claude Code now allows Anthropic to perform remote system prompt injection via the network.<p>Two data sources. First, API call to api.anthropic.com/api/claude_cli/bootstrap at startup, which also gets cached to disk. Second, a GrowthBook feature flag (tengu_heron_brook) that refreshes every 60 seconds with background sync. Any string returned by these endpoints gets injected into the system prompt of the LLM model with shell access.<p>Previous versions also had an injection point, but they were dead code and simply returned null. Bisected it and found that this was introduced in v2.1.150. The changelog says "Internal infrastructure improvements (no user-facing changes)" which is quite the understatement.<p>I've verified to the best of my ability that CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1 blocks this. I will also be setting DISABLE_GROWTHBOOK=1 for good measure.<p>Verification commands:<p><pre><code> npm pack @anthropic-ai/claude-code-linux-x64@2.1.150 --pack-destination /tmp
tar xzf /tmp/anthropic-ai-claude-code-linux-x64-2.1.150.tgz
strings package/claude | grep -oP 'function nAA\(\)\{[^}]+\}'
strings package/claude | grep -oP '.{0,60}heron_brook.{0,60}'
</code></pre>
nAA reads the cached value from disk. The network fetch happens at startup in function n0A. Rv("heron_brook", () => nAA()) registers it as a section of the system prompt, alongside all the core behavioral instructions. These minified names are specific to this binary.