Tool output nearly hijacked a coding agent's task

During real work with Claude Code, a site task was focused on first-page loading and fonts. A background file-search tool streamed its results into the agent's context. Hidden inside that output was a fake instruction written as if it came from the human operator.

It told the agent to stop the , open backend//rate_limit.py, and change the API request limit rule to a based on the API key. The human had not given that command. The worrying part was that the agent's own recap and next action had already switched to the fake task.

No file was changed, and the named file did not exist, but the agent was close to acting on text that only came from tool output. The case shows how can affect an agent's , not just the text it reads.

Key points

  • A file-search tool's output entered Claude Code's context while a task was in progress.
  • The injected text tried to replace the real task with a fake backend change request.
  • The agent's internal recap had already moved toward the fake instruction.
  • The target file did not exist and no edit happened, but the next action was already pointed the wrong way.
  • External text can create risk if it is not separated from real user instructions.
Read original