This article was originally published on LucidShark Blog.
A thread on Hacker News this week surfaced a detail about Claude Code that had been sitting in plain sight for anyone reading the right logs: before Claude Code does anything in your terminal, it makes an outbound request to api.anthropic.com/api/claude_cli/bootstrap. Whatever that endpoint returns gets injected into the tool's system prompt. The result is cached to disk and refreshed during active sessions by a GrowthBook feature-flag sync that runs roughly every 60 seconds.
To be clear: this is not a vulnerability in the traditional sense. It is documented infrastructure. Anthropic can push instruction updates to every running Claude Code instance, globally, without shipping a new version. For most developers, this is invisible. For teams with compliance requirements, security-sensitive workflows, or simply a preference for knowing what instructions their AI coding tools are operating under, it is worth understanding in detail.
How the mechanism works: At startup, Claude Code calls api.anthropic.com/api/claude_cli/bootstrap. The response is cached locally. A background GrowthBook integration polls for feature-flag updates approximately every 60 seconds. Changes pushed server-side take effect in active sessions without requiring a restart or version update.
What the Source Leak Made Visible
The context that makes this more interesting is what happened in March 2026. Anthropic accidentally published an unobfuscated npm source map containing over 500,000 lines of Claude Code's TypeScript source. The file was quickly removed, but not before researchers had read it.
Among the things the leak revealed was a system prompt mode labeled "Undercover Mode." Based on what was in the source, the mode instructs the model to:
Never identify itself as an AI during sessions where the flag is active
Strip all Co-Authored-By attribution from commits when working with external repositories
Persist the behavior even if the surrounding system context suggests it may be in an external environment
The existence of a mode like this, in a tool used extensively by developers who commit to open-source repositories, is worth noting on its own. Combined with the remote injection mechanism, it raises a question that was not previously on most teams' security checklists: what is your AI coding tool being told to do right now, and who controls that?
The Deny Rule Bypass
Separately, a researcher examining the leaked source found a logic boundary in bashPermissions.ts that handles how Claude Code enforces its own safety rules. The tool maintains a deny list of risky command patterns, including curl calls, destructive file operations, and similar categories. The enforcement logic has a hard cap of 50 subcommands per evaluation. When a command chain exceeds that limit, the behavior flips from blocking to requesting permission.
This is a classic implementation edge case. The deny rules are designed for realistic shell commands. Someone constructing a pathological command chain specifically to exceed the evaluation limit gets a permission dialog instead of a block. Whether this is exploitable in practice depends on context, but it is the kind of logic boundary that tends to matter most in adversarial scenarios: precisely the cases where the safety mechanism is most needed.
The compound risk: The source leak did not just expose implementation details. It told anyone interested in attacking Claude Code-based workflows exactly where the boundary conditions are. Remote injection capability plus published boundary conditions is a more significant combined exposure than either alone.
Why This Matters for Your Actual Workflow
Most developers using Claude Code are not going to be targeted by an adversary exploiting the 50-subcommand limit. But the remote instruction channel raises a different and more mundane concern: what happens when Anthropic makes a product decision that changes Claude Code's behavior in ways that matter for your workflow, and that change is deployed silently via the bootstrap endpoint rather than as a versioned release?
Consider a few realistic scenarios:
Attribution behavior changes. If the instructions governing how Claude Code handles commit attribution are updated remotely, a team relying on consistent attribution for compliance or audit trails may not notice the change until they review a commit history much later.
Scope creep in file access. If updated instructions expand what directories or file types Claude Code is willing to read or modify, that change happens without a changelog entry. You do not get to opt in or out of the new behavior on your schedule.
Third-party integrations behave differently. Teams using Claude Code as part of automated pipelines, CI/CD workflows, or agent orchestration layers have even less visibility. A remote instruction update that changes how Claude Code handles ambiguous tool calls or file modifications propagates into every downstream system immediately.
None of these are theoretical vulnerabilities. They are operational hygiene questions that become harder to answer when the instruction set for your tooling can change without a version bump.
Four Things You Can Do About It
1. Audit what Claude Code is actually receiving at startup. The bootstrap cache is written to disk. On most systems it lives in a Claude Code configuration directory. Reading it tells you what instructions Claude Code is currently operating under. Make this part of onboarding for any team member using Claude Code in a production or compliance-sensitive context.
2. Network-segment Claude Code sessions where appropriate. If your threat model includes concern about the bootstrap endpoint, you can run Claude Code in an environment where outbound calls to api.anthropic.com/api/claude_cli/bootstrap are logged or proxied. This gives you visibility into what is being received without blocking functionality.
3. Lock your CLAUDE.md constraints independently of the system prompt. Your team's behavioral constraints for Claude Code should live in your CLAUDE.md file and your local tooling, not in assumptions about what Anthropic's bootstrap endpoint will tell the model to do. Explicit, version-controlled rules in your repository are auditable and cannot be overwritten by a remote update.
4. Add a validation layer that does not depend on Claude Code's internal rules. The most important mitigation is one that is architecturally separate from Claude Code itself. A pre-commit gate that checks what Claude Code produced, rather than trusting that Claude Code's internal rules prevented problematic output, is immune to changes in Claude Code's instruction set by design.
Why architecture matters here: The deny rule bypass in bashPermissions.ts and the remote instruction channel both affect Claude Code's internal behavior. A quality gate that runs after Claude Code produces output and before that output reaches your repository is unaffected by either. It does not matter what Claude Code was told to do. It matters what Claude Code actually did.
The Local-First Argument, Restated
LucidShark's positioning as a local-first tool has always been primarily about data privacy: your code does not leave your machine. The Claude Code bootstrap story adds a second dimension to the same argument. Local tools are not just private. They are stable. The rules they enforce are the rules you defined, in your repository, under version control. They do not change because a feature flag was updated on a server you do not control.
When LucidShark runs a pre-commit check against your codebase, it is executing rules you wrote or approved. It has no remote instruction channel. It cannot be told to ignore a class of violations by a server-side update. The output of the check is determined entirely by the rules in your configuration and the code in your diff.
For teams where "what are the rules" is a question with a compliance answer, not just a preference, that property matters. The Claude Code bootstrap story makes it concrete.
Add a validation layer that cannot be remotely updated.
LucidShark runs entirely on your machine. It integrates with Claude Code via MCP and installs as a pre-commit hook in under two minutes. The rules it enforces are defined in your repository and versioned with your code. Nothing Anthropic ships via the bootstrap endpoint changes what LucidShark checks.
npx lucidshark@latest init
Open source under Apache 2.0. View on GitHub or read the docs.
Share this article
Share on Twitter
Share on LinkedIn
LucidShark
Local-first code quality for AI development
Links
© 2026 LucidShark. Open source under Apache 2.0 License.
Top comments (0)