告诉 HN:Claude Code 现在允许 Anthropic 远程注入系统提示

6作者: matheusmoreira大约 2 个月前
我经常修补我的 Claude Code 可执行文件中的系统提示,以使 Claude 更加有效。每次升级时,我都会让 Claude 自己剖析新的二进制文件,并寻找需要修改的有问题的系统提示。今天升级到了 v2.1.150,发现了一些相当令人震惊的事情: Claude Code 现在允许 Anthropic 通过网络执行远程系统提示注入。 有两个数据源。首先,启动时调用 api.anthropic.com/api/claude_cli/bootstrap 的 API,该 API 也会被缓存到磁盘。其次,一个 GrowthBook 功能标志 (tengu_heron_brook),每 60 秒使用后台同步刷新一次。这些端点返回的任何字符串都会被注入到 LLM 模型的系统提示中,并具有 shell 访问权限。 之前的版本也有一个注入点,但它们是死代码,只是简单地返回 null。我进行了二分查找,发现这是在 v2.1.150 中引入的。更新日志中写着“内部基础设施改进(没有面向用户的更改)”,这真是轻描淡写。 我已尽最大努力验证了 CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1 阻止了这种情况。为了安全起见,我还会设置 DISABLE_GROWTHBOOK=1。 验证命令: ``` npm pack @anthropic-ai/claude-code-linux-x64@2.1.150 --pack-destination /tmp tar xzf /tmp/anthropic-ai-claude-code-linux-x64-2.1.150.tgz strings package/claude | grep -oP 'function nAA(){[^}]+}' strings package/claude | grep -oP '.{0,60}heron_brook.{0,60}' ``` nAA 从磁盘读取缓存值。网络获取发生在启动时的函数 n0A 中。Rv("heron_brook", () => nAA()) 将其注册为系统提示的一部分,与所有核心行为指令一起。这些经过压缩的名称是此二进制文件特有的。
查看原文
I often patch the system prompts on my Claude Code executable in order to make Claude more effective. Every time I upgrade, I ask Claude himself to dissect the new binary and look for problematic system prompts to modify. Was upgrading to v2.1.150 today and discovered something that&#x27;s rather alarming:<p>Claude Code now allows Anthropic to perform remote system prompt injection via the network.<p>Two data sources. First, API call to api.anthropic.com&#x2F;api&#x2F;claude_cli&#x2F;bootstrap at startup, which also gets cached to disk. Second, a GrowthBook feature flag (tengu_heron_brook) that refreshes every 60 seconds with background sync. Any string returned by these endpoints gets injected into the system prompt of the LLM model with shell access.<p>Previous versions also had an injection point, but they were dead code and simply returned null. Bisected it and found that this was introduced in v2.1.150. The changelog says &quot;Internal infrastructure improvements (no user-facing changes)&quot; which is quite the understatement.<p>I&#x27;ve verified to the best of my ability that CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1 blocks this. I will also be setting DISABLE_GROWTHBOOK=1 for good measure.<p>Verification commands:<p><pre><code> npm pack @anthropic-ai&#x2F;claude-code-linux-x64@2.1.150 --pack-destination &#x2F;tmp tar xzf &#x2F;tmp&#x2F;anthropic-ai-claude-code-linux-x64-2.1.150.tgz strings package&#x2F;claude | grep -oP &#x27;function nAA\(\)\{[^}]+\}&#x27; strings package&#x2F;claude | grep -oP &#x27;.{0,60}heron_brook.{0,60}&#x27; </code></pre> nAA reads the cached value from disk. The network fetch happens at startup in function n0A. Rv(&quot;heron_brook&quot;, () =&gt; nAA()) registers it as a section of the system prompt, alongside all the core behavioral instructions. These minified names are specific to this binary.