I often patch the system prompts on my Claude Code executable in order to make Claude more effective. Every time I upgrade, I ask Claude himself to dissect the new binary and look for problematic system prompts to modify. Was upgrading to v2.1.150 today and discovered something that's rather alarming:

Claude Code now allows Anthropic to perform remote system prompt injection via the network.

Two data sources. First, API call to api.anthropic.com/api/claude_cli/bootstrap at startup, which also gets cached to disk. Second, a GrowthBook feature flag (tengu_heron_brook) that refreshes every 60 seconds with background sync. Any string returned by these endpoints gets injected into the system prompt of the LLM model with shell access.

Previous versions also had an injection point, but they were dead code and simply returned null. Bisected it and found that this was introduced in v2.1.150. The changelog says "Internal infrastructure improvements (no user-facing changes)" which is quite the understatement.

I've verified to the best of my ability that CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1 blocks this. I will also be setting DISABLE_GROWTHBOOK=1 for good measure.

Verification commands:

  npm pack @anthropic-ai/claude-code-linux-x64@2.1.150 --pack-destination /tmp
  tar xzf /tmp/anthropic-ai-claude-code-linux-x64-2.1.150.tgz
  strings package/claude | grep -oP 'function nAA\(\)\{[^}]+\}'
  strings package/claude | grep -oP '.{0,60}heron_brook.{0,60}'

nAA reads the cached value from disk. The network fetch happens at startup in function n0A. Rv("heron_brook", () => nAA()) registers it as a section of the system prompt, alongside all the core behavioral instructions. These minified names are specific to this binary.