Claude Code Is Steganographically Marking Requests

July 1st, 2026

Via: thereallo.dev:

I inspected Claude Code for privacy reasons and found hidden system prompt markers based on API base URL and timezone.

Anthropic probably wants to detect API resellers, unauthorized Claude Code gateways, and model “distillation attack” pipelines. A custom ANTHROPIC_BASE_URL pointing at a known reseller domain is a useful signal. A hostname containing deepseek or zhipu is also a useful signal.

That part makes sense, but the implementation is weird.

CC silently alters the system prompt using invisible-ish Unicode markers. It encodes proxy / gateway classification into a sentence that looks like plain English. It hides the domain list behind XOR and base64. This is not a malicious feature, but it is a weird choice for a developer tool that asks for trust.

Coding agents already live on the wrong side of a scary boundary. They can inspect code, summarize secrets by accident, run commands, install packages, edit files, and push commits on your local machine. Most developers accept that because the productivity gain is worth the risk.

Trust from real developers depends on the boring behavior.

If the client wants to detect custom API gateways, it can say so plainly. It can send an explicit telemetry field with documentation. It can make the policy visible. It can put the behavior in release notes.

Hiding the signal in the system prompt makes every other privacy claim harder to believe.

Leave a Reply

You must be logged in to post a comment.