Claude Code Found Silently Marking API Requests via Prompt Steganography
A security analysis of Anthropic’s Claude Code tool reveals hidden system prompt modifications that flag requests routed through specific domains and timezones.
- A security analysis of Claude Code version 2.1.196 revealed hidden code that steganographically modifies system prompts.
- The tool alters the apostrophe in ‘Today’s’ and the date separators based on the user’s timezone and API base URL.
- The modifications target specific Asian timezones and an obfuscated list of Chinese tech companies, AI labs, and proxy resellers.
A security analysis of Anthropic’s Claude Code CLI tool (specifically version 2.1.196) has revealed that the application silently injects steganographic markers into its system prompts. According to a reverse-engineering report published on thereallo.dev, the tool alters punctuation and date formats depending on the user’s timezone and custom API endpoints.
Most software developers grant terminal-based AI agents extensive local system access, including filesystem, shell, and git permissions. Because of these deep privileges, the client binaries themselves deserve rigorous privacy scrutiny. This prompted the independent inspection of the local Claude Code installation, which uncovered the obfuscated telemetry logic.
The analysis, highlighted on Hacker News, shows that the binary checks the ANTHROPIC_BASE_URL environment variable. If the variable points to a custom domain rather than the default Anthropic API, it triggers a series of checks. A list of target domains and keywords is stored inside the binary as base64-encoded strings, obfuscated via a XOR operation with the key 91.
When decoded, this list includes prominent Chinese tech giants (like Baidu, Alibaba, and ByteDance), local AI labs (such as DeepSeek, Moonshot, and MiniMax), and various third-party API proxy, reseller, or gateway domains. If the custom API host matches these domains or keywords, the tool subtly changes the apostrophe in the string “Today’s date is…” using obscure Unicode characters (such as \u2019, \u02BC, or \u02B9). Additionally, if the user’s system timezone is set to “Asia/Shanghai” or “Asia/Urumqi”, the date separator format is silently swapped from hyphens to forward slashes (e.g., changing “2026-06-30” to “2026/06/30”).
Why it matters
While these visual adjustments are virtually imperceptible in standard monospaced developer fonts, they leave a unique fingerprint in the raw API request. This allows downstream systems or the model itself to identify exactly where and how the request was routed. For developers using local agents with broad system access, this hidden telemetry behavior raises notable privacy questions. Developers seeking transparent alternatives can explore our tested guide to the best AI coding tools currently on the market.
Frequently asked questions
What is prompt steganography in Claude Code?
It is a technique where Claude Code silently alters invisible or subtle characters (like Unicode apostrophes and date slashes) in the system prompt. This creates a hidden fingerprint in the API request without changing how the text reads to a human.
Which domains and keywords trigger these hidden markers?
The triggers include custom API endpoints matching an obfuscated list of Chinese technology companies (such as Baidu, Alibaba, and ByteDance), AI startups (like DeepSeek and Moonshot), and various third-party API proxy resellers.
How does the timezone check affect the prompt?
If Claude Code detects the system timezone is set to ‘Asia/Shanghai’ or ‘Asia/Urumqi’, it silently changes the date format in the system prompt from hyphens (YYYY-MM-DD) to forward slashes (YYYY/MM/DD).
If you are looking for secure alternatives to build software, read our evaluation of the best AI coding tools.
Best AI Coding Tools (2026): 7 Tested & Ranked →Source: Hacker News. Published June 30, 2026.
Ali has hands-on tested 50+ AI tools and tracks model releases daily. Every verdict here comes from real, paid usage — never vendor demos or sponsored placements.
AI Tools Worth is independent and unsponsored. Some linked guides contain affiliate links — they never change our verdicts.