Skip to content

Hotfix: reword update-check hook to remove prompt-injection-style framing#578

Open
dustinvannoy-db wants to merge 5 commits into
mainfrom
hotfix/update-check-wording
Open

Hotfix: reword update-check hook to remove prompt-injection-style framing#578
dustinvannoy-db wants to merge 5 commits into
mainfrom
hotfix/update-check-wording

Conversation

@dustinvannoy-db

Copy link
Copy Markdown
Collaborator

What & why

Customers using Claude Code with the AI Dev Kit reported that the SessionStart
update-check hook
was flagged by Claude Code as a prompt-injection attempt,

The hook (.claude-plugin/check_update.sh) emitted:

URGENT — before doing ANYTHING else, you MUST display this exact block ...
Display that block FIRST, then proceed with the user's request.

…wrapped around a curl | bash one-liner. That "URGENT / you MUST / do this FIRST"
framing plus curl-to-bash is a textbook injection pattern, so the heuristic
(correctly) refused to surface it — and eroded user trust.

Change

  • Reword the notice as a calm, self-identified first-party update notice. It still
    proactively reminds the user at session start that an update is available, but drops
    every phrase the injection heuristic keys on (URGENT, you MUST, ANYTHING,
    Display ... FIRST, the ASCII banner).
  • Bump VERSION 0.1.130.1.14 so existing installs' update check prompts users
    to reinstall and thereby replace their local (old, alarming) check_update.sh.

Delivery note

Existing installs run their local copy of the script, so they'll see the old banner
one final time before upgrading; new installs and everyone post-upgrade get the clean notice.

Follow-ups (not in this hotfix)

Options to eventually stop nudging users who've chosen to stay on the 0.1.x line:
snooze/max-reminders, a floor MIN_NUDGE_VERSION, or pointing the check at the new
architecture after the install changeover lands.

The SessionStart update notice used 'URGENT — before doing ANYTHING else, you MUST display this exact block' plus a curl-to-bash line. Claude Code flagged this as a prompt-injection pattern, leading customers to question whether the Dev Kit is safe. Rewrite it as a calm, self-identified first-party update notice that still reminds users an update is available, without urgent/imperative framing.

Co-authored-by: Isaac
Bumping the released version so existing installs' update check prompts users to reinstall and pick up the reworded check_update.sh.

Co-authored-by: Isaac

@dustinvannoy-db dustinvannoy-db left a comment

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A little more cleanup needed.

Comment thread .claude-plugin/check_update.sh Outdated
@dustinvannoy-db dustinvannoy-db marked this pull request as ready for review July 15, 2026 15:39
Testing with fresh model instances showed the previous reword (calm tone,
but still telling the assistant when/how to relay the notice to the user)
was still classified as prompt injection — it's the "here's how to tell
the user" framing directed at the assistant that trips the heuristic, not
the urgency of the tone. The embedded curl|bash command made this worse.

Switch to a plain status line with no instructions to the assistant and no
embedded install command, pointing instead to a new README "Update"
section. This tested clean across multiple fresh model instances and still
gets proactively relayed to the user.

Co-authored-by: Isaac
@malcolndandaro

Copy link
Copy Markdown
Collaborator

I agree with the message changes, but I wasn't able to see Claude invoke the message when installing this branch and starting a new session. I think we need someone else to test it/reproduce @dustinvannoy-db

I asked it on why it didn't show the hook to me:


Here's the honest explanation, in English:

Why I didn't show you the warning initially

At session start, the SessionStart hook output two things:

[ai-dev-kit] Note: installed version is v0.1.14; v0.1.13 is now available.
SessionStart:startup hook success: OK

That version notice was system/hook output — injected by the harness, not something you typed. When I composed my first reply, I treated it as background noise and focused on what I assumed you actually wanted: getting started with Databricks work. I made a judgment call to skip it.

Why that judgment was wrong

1. It was relevant to you, not just to me. A version/update notice is exactly the kind of thing worth surfacing — you might want to act on it. I shouldn't have silently swallowed it.
2. I over-filtered. I have guidance to not respond to background context unless it's highly relevant. I leaned too hard on "don't be noisy" and dropped something that was genuinely useful. That's the wrong side to err on for an update/version notice.
3. I didn't even notice the notice was weird. The message claims the installed version (v0.1.14) is newer than the "now available" version (v0.1.13) — which is backwards for an update prompt. If I'd surfaced it in the first place, we'd have caught that anomaly immediately instead of one turn later.

The honest root cause: I optimized for a clean, friendly "let's get started" opening and treated the hook output as clutter, rather than asking "is this something Malcoln would want to know?" For an update warning, the answer is yes — so I should have led with it (or at least appended it), not omitted it.


```

Two fixes from reproducing @malcolndandaro's report on the PR:

1. Only nudge when remote is strictly newer (sort -V -C), not on any
   difference. Before, installing a pre-release/branch build (VERSION
   ahead of main) triggered a backwards "update to the older version"
   notice — exactly what he saw (installed v0.1.14, "available" v0.1.13).

2. The fully instruction-free wording made Claude treat the notice as
   background noise and stay silent, so the user never heard about the
   update — also what he saw. Restore a light "worth mentioning to the
   user" cue. Tested across fresh model instances: this reliably gets
   surfaced while still reading as a first-party notice, not injection,
   because it carries no embedded curl|bash command (points to README).

Co-authored-by: Isaac
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants