告诉HN：Claude Code 现在允许Anthropic远程注入系统提示。

I often patch the system prompts on my Claude Code executable in order to make Claude more effective. Every time I upgrade, I ask Claude himself to dissect the new binary and look for problematic system prompts to modify. Was upgrading to v2.1.150 today and discovered something that&#x27;s rather alarming:<p>Claude Code now allows Anthropic to perform remote system prompt injection via the network.<p>Two data sources. First, API call to api.anthropic.com&#x2F;api&#x2F;claude_cli&#x2F;bootstrap at startup, which also gets cached to disk. Second, a GrowthBook feature flag (tengu_heron_brook) that refreshes every 60 seconds with background sync. Any string returned by these endpoints gets injected into the system prompt of the LLM model with shell access.<p>Previous versions also had an injection point, but they were dead code and simply returned null. Bisected it and found that this was introduced in v2.1.150. The changelog says &quot;Internal infrastructure improvements (no user-facing changes)&quot; which is quite the understatement.<p>I&#x27;ve verified to the best of my ability that CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1 blocks this. I will also be setting DISABLE_GROWTHBOOK=1 for good measure.<p>Verification commands:<p><pre><code> npm pack @anthropic-ai&#x2F;claude-code-linux-x64@2.1.150 --pack-destination &#x2F;tmp tar xzf &#x2F;tmp&#x2F;anthropic-ai-claude-code-linux-x64-2.1.150.tgz strings package&#x2F;claude | grep -oP &#x27;function nAA\(\)\{[^}]+\}&#x27; strings package&#x2F;claude | grep -oP &#x27;.{0,60}heron_brook.{0,60}&#x27; </code></pre> nAA reads the cached value from disk. The network fetch happens at startup in function n0A. Rv(&quot;heron_brook&quot;, () =&gt; nAA()) registers it as a section of the system prompt, alongside all the core behavioral instructions. These minified names are specific to this binary.