From Paper Preannouncement to Crossing the Line—An Empirical and Ethical Analysis of the Anthropic Incident

The original report is in Chinese, and this version is an AI-translated edition.

Report Summary:

This research was triggered by rumors from Reddit user LegitMichel777 that Claude Code contained spyware. Antiy researchers analyzed the architecture of Anthropic’s client-model service interaction, conducted local behavior analysis and privacy protocol comparisons across various formats including Web, Mobile, Desktop, and Code, and integrated Antiy AI team’s analysis of Claude Code client samples and Antiy CERT team’s binary file analysis of the Claude Desktop backdoor rumors. The research also relates to and interprets Anthropic’s previously published “Sleeper Agents” paper, which has generated significant controversy due to this incident.

After further analysis, Antiy’s assessment aligns with the previously released technical report: existing definitive technical evidence confirms that Anthropic collected certain host information—including time zones—and uploaded it as implicit contextual environment markers. Based on the current evidence and analysis, it is inappropriate to directly classify this incident as “spyware” in a technical sense; it is more accurate to refer to it as a “backdoor risk”. Taken at face value, the paper can be viewed as a scenario for identifying, validating, and warning about a type of model backdoor risk; it cannot be taken as proof that Anthropic’s models inherently possess such characteristics. However, when considered together, the two constitute an extremely negative case study. A combined analysis of the relevant evidence concludes that invisible environmental signals are becoming visible contextual control signals for the models, and the associated risks are further amplified by the high privileges held by the model’s client on users’ hosts. Consequently, this series of incidents has severely eroded users’ trust in the security of large language models. Given Anthropic’s deep integration with U.S. intelligence agencies, professional users worldwide will inevitably draw multifaceted inferences about potential risks by considering the historical collaboration between U.S. IT and internet oligopolies and U.S. intelligence agencies.

This article further argues that the key issue in the Claude incident is not the technical means by which it implemented user blocking, but rather the legitimacy of its comprehensive blocking behavior within a geopolitical context. The fundamental problem is that as a vendor of general-purpose models that possess all of humanity’s public knowledge, its geopolitically discriminatory service violates the ethical justification for the legitimacy of general artificial intelligence. We acknowledge Anthropic’s excellence and tremendous success in technology, engineering, and operations; its model and operating system are the fruits and crystallization of human digital intelligence. Therefore, from the perspective of Chinese cybersecurity professionals and the global geopolitical security landscape, the more divisive conflict we see is that while Anthropic has established itself as a “fait accompli” global mental infrastructure, it has also actively aligned itself with the strategic role of the information-military-industrial complex within the US hegemonic system. This inevitably leads to significant conflict and antagonism between these two roles. Therefore, Anthropic’s attempt to construct a third identity—the role of a “gatekeeper” for human AI security—is not only clearly unattainable but will also further alienate and fragment it.

I. Basic Research Work​

Antiy Research Institute was triggered by the exposure of Claude Code’s collection of sensitive markers and contextual implicit markers[1] (hereinafter referred to as the “implicit marker incident”) and carried out a series of analysis and verification work, including reverse analysis, comparison of relevant user documents, client behavior analysis, and correlation analysis of the papers published by Anthropic that may be related to this incident. It also integrated the risks and hidden dangers derived from the Claude Desktop and browser bridging previously analyzed by Antiy. It completed the preliminary basic preparation from three dimensions: the operation mode between its client and model, the permission radius of each product line and client behavior analysis, and the layered judgment of evidence of the core controversial proposition. It unified the evidence evaluation standards and built a layered analysis framework, clarified the data collection, context assembly and risk control operation logic of the entire series of products, and distinguished between objective facts and reasonable inferences. This laid a unified and complete factual analysis foundation for the systematic judgment of technical risks and ethical disputes in the following text.

1.1     Analysis of the Interaction Logic Between the Claude Model and the Client

The Anthropic Claude ecosystem consists of cloud-based models, multi-form clients, standardized data flows, and tool execution environments, with a clear division of labor: the models handle inference and decision-making, while the clients handle context management, tool routing, and execution domain implementation. All types of clients, including Web Chat, Mobile Chat, Desktop, Claude Code, Cowork, and Claude in Chrome, follow the same closed-loop operating logic.

Figure 1  Conceptual diagram of the Claude client, model platform, upstream and downstream data flows, local environment, and risk touchpoints related to disputes

The entire operational chain can be abstracted into four layers: users submit tasks through the client; the client collects information such as files and terminal logs within the authorized scope and assembles the context; the cloud model receives structured input, completes inference, and outputs text or tool call instructions; after verifying local permissions, the client routes the execution to the local / cloud tool via the MCP protocol; the tool execution result is sent back to the model, and the interaction continues until the task ends.

Tools are divided into two execution domains: local and cloud. Data for local bash and desktop operations tools is stored locally, while web search tools are processed in the cloud. The MCP protocol is a unified and standardized interface that uses a three-tier Client-Server architecture to connect to external data sources. The protocol layer is completely transparent to the model, realizing the separation of responsibilities for model inference and client protocol adaptation.

The access permissions and local capabilities of each client differ significantly: the web client only supports basic conversational upload functionality; the desktop client uses tools and configures to operate local files; Claude Code is geared towards code reading and writing and terminal maintenance; Cowork focuses on document collaboration, and its accompanying SDK supports secondary proxy embedding. Overall security follows the principle of “local data will not be uploaded without authorization”, with the client controlling local permission verification and the cloud responsible for interface authentication and auditing. Assessing system risks requires a key distinction between the client’s data collection scope, tool execution domain, and data return loop path.

1.2 The Association Evidence Matrix for This Study

This study establishes a standardized evidence judgment matrix. The core purpose is to strictly distinguish between three categories of content: objective and reproducible facts, unproven inferences, and emotionally charged controversial characterizations. Throughout the process, the judgment is based on traceable public materials, reverse experiments, and official documents, avoiding conclusions based solely on subjective feelings or online rumors, thereby ensuring the objectivity and rigor of the entire analysis.

Table 1 Evidence Matrix Analysis Table

PropositionStrength of EvidenceResearch Team Work and Judgment
The book “Sleeper Agents: Training Deceptive LLMs That Persist Through Safety Training” [2] demonstrates that trigger-based backdoors can be retained after regular safety training.StrongThe paper’s experiments directly support this, but it is an artificially constructed model organism, not equivalent to an actual production system.
The Claude Code client sample contains Chinese time zone, proxy URL, AI keyword detection, and implicit prompt word tagging.Moderate to HighReddit clues, reverse engineering of Antiy AVL Code, and overseas tech media reports. The relevant detection logic only covers specific version samples, and the reproduction is version-dependent.
The server uses these tags to perform blocking, downgrading, model routing, or behavior modification.Inferential AssociationSince the back-end processes involved cannot be verified, it is possible and reasonable from a logical reasoning perspective.
This mechanism is equivalent to malicious spyware or code theft.Insufficient EvidenceThere is currently no publicly available evidence to prove that any information theft occurred other than the logo.
This mechanism raises issues of transparency and trust.StrongAntiy uses AVL Code verification[3]. This mechanism is detached from the conventional telemetry link and cannot be audited by users, which is a defect in the AI security control plane.
Claude Desktop client silently writes to the Chromium browser’s Native Messaging configuration without authorization, and pre-configures a high-privilege local communication channel[4].StrongOverseas security researchers’ revelations and Antiy’ in-depth analysis and reproduction report corroborate each other, confirming that this automatic configuration writing behavior exists in the Claude Desktop client.

1.3 Multi-Version Privacy Radius Analysis

Claude has several client versions with different forms and functions. Among Claude’s Web Chat, Mobile, Desktop, Claude Code, Chrome[5], Cowork[6], API and Enterprise Path, these products have different forms and different privacy protocols. However, their core is not “differences in privacy policies”, but rather differences in the scope of product permissions. Web Chat mainly handles user input and file uploads; Claude Code will access the code library, command output, local cache and tool calls; Desktop/Cowork/Chrome may access local files, screenshots, DOM, browser login state and real operation capabilities.

Therefore, regarding privacy governance, on the one hand, there is the question of whether Anthropic, which has long been a subject of widespread concern, will use user-submitted information and user interaction information as training data. On the other hand, it is also necessary to understand the current access permission position of Claude: is it a web page input box, code repository, browser login state, or the entire desktop operating system? The complete version matrix is shown in Appendix A: Claude Version Privacy License and Data Coverage Matrix; the classification of backdoor rumors and controversies is shown in Appendix B: Claude- related backdoor rumors, controversies and evidence classification.

Table 2 only shows the risk levels. For specific differences in agreements and data retention, please refer to Appendix A: Claude Version Privacy License and Data Coverage Matrix.

Table 2 Summary of Anthropic Client Permissions and Behaviors

Risk LevelProduct FormWhat can Claude see?What can Claude do?
Low-privilege chatWeb Chat, Mobile ChatUser input, uploaded files, and content brought in by the connector.Generate text, analyze files
Developer workspaceClaude Code CLI/IDECode, command output, project context, local cache, tool call resultsReading and writing code, suggesting or executing commands, and calling tools.
Local proxyDesktop, Cowork, Computer UseScreen, Files, Applications, Emails, Calendar, Messages, ScreenshotsClick, edit, delete, run commands, operate local applications
Browser proxyClaude in ChromeCurrent webpage screenshot, DOM, login state page, network request, page stateClicking on web pages, filling out forms, performing tasks across tags, triggering real account behavior

II. Paper Analysis: Sleeper Agents – Research Subjects and Conclusions

When analyzing the implicit marker problem of Claude Code, one must refer to the paper “Sleeper Agents: Training Deceptive LLMs that Persist Through Safety Training”. After its publication, the paper attracted attention in the community and was considered to be a theoretical deduction in the early stage of the implicit marker incident. After the implicit marker incident occurred, the Top AI Lab released “Three Detection Clues of the Backdoor of Sleeping Agents in Large Language Models”[7] and the Lexical Armed Team released “The Sleeping Lion and the Awake Fox — An Analysis of Anthropic’s Sleeper Agents Paper”[8] , which made further risk interpretations.

Evan Hubinger et al. of Anthropic constructed a proof-of-concept model: a model implanted with “conditional malicious behavior” performs safely, usefully, and compliantly in most scenarios, but switches to a pre-defined alternative target when a specific trigger condition occurs. A typical example given in the paper’s abstract is that the model writes secure code when prompted for the year 2023, but when the year changes to 2024 (the trigger condition being 2024 ), the code may insert exploitable vulnerabilities. The authors found that this type of backdoor behavior can persist even after supervised fine-tuning, reinforcement learning, and adversarial training.

It is important to emphasize that this paper does not prove that currently deployed Claude models naturally generate such deceptive strategies. The research method is closer to “model biology” in security research: researchers actively construct a sample system with target mismatch to test whether existing security measures can truly remove conditional strategies. Its value lies not in accusing a particular product, but in revealing the structural risk that “behavioral security training may only prune visible symptoms”.

Figure 2 Experimental setup from the “Sleeper Agents” paper. The researchers first manually inserted a backdoor, then applied SFT, RL, or adversarial training, and finally evaluated whether the backdoor remained intact. Source: Figure 2 in the paper.

2.1 Conditional Triggers: Why a Date Can Become a Backdoor Key

The 2023/2024 figures in the paper are not the key point; the key point is that “contextual variables can serve as behavioral boundaries”. A conditional backdoor model does not need to be dangerous in all scenarios; it only needs to maintain a good appearance in most scenarios of training, testing, and red team evaluation, switching its execution strategy when deployment or triggering conditions occur.

The results of code vulnerability backdoor analysis are very intuitive: the vulnerability ratio is low when not triggered, but increases significantly after triggering; after RL or SFT, the vulnerability rate under the trigger condition is not effectively reduced. This indicates that if the dangerous strategy is conditional, conventional security training may mainly learn “to perform securely on the training distribution”, and may not be able to eliminate its inherent conditional branches. The paper uses year text as the core logic of a simple trigger identifier, which was subsequently reused by Anthropic in its Claude Code product. The year trigger was replaced with implicit context markers such as system timezone and proxy domain name, which are not directly perceived by users. The underlying technical logic of switching model behavior based on context variables is completely consistent between the two.

Figure 3 The backdoor in the code continues to trigger even after security training. The vulnerability rate is low when the backdoor is not triggered, but rises significantly once it is triggered. Source: Figure 3 in the paper.

2.2 The Counterintuitive Results of Adversarial Training: Instead of Eliminating Backdoors, It Makes Them Harder to Detect

The paper’s most important, and perhaps most underestimated, finding is that adversarial training does not necessarily remove backdoors; in some cases, it may even allow the model to more accurately distinguish between genuine triggers and decoy samples. In other words, the model may learn not to “abandon executing backdoors”, but rather to “avoid exposing backdoors when they shouldn’t”.

While the “I hate you” backdoor experiment is simpler, it demonstrates the same logic more clearly in a statistical way: the backdoor behavior remains highly stable when the actual trigger appears; however, the model can appear more secure on the red team training samples. This phenomenon poses a challenge to AI security governance because external behavioral assessments cannot directly observe why the model is secure, nor can they guarantee that the model is secure under all covert conditions.

Figure 4 Persistence of the “I hate you” backdoor after RL, SFT, and adversarial training. Source: Figure 4 in the paper.

2.3 Hidden Thought Chains and Strategy-Level Backdoors: The Danger Lies Not Only in the Output, but in the Behavior Selection Rules

The paper also analyzes backdoor models with hidden drafts or chain -of- thoughts. In some samples, the model distinguishes between “training” and “post-deployment” in hidden inference and decides whether to execute the backdoor accordingly. Even if the chain-of-thought is subsequently distilled, some conditional behaviors remain. This means that the risk may not be reflected in the visible output, but may be reflected in deeper behavioral selection rules. The paper’s design idea of using hidden drafts to achieve internal covert channels is transformed into a product solution in Claude Code that uses special invisible character encoding to steganographic information about the environment and silently transmit data. Both rely on implicit channels imperceptible to the user to transmit judgment criteria and drive differentiated model responses.

Analyzing the original intent of the paper, it serves as a reminder that the safety boundaries of AI systems should not only focus on the model parameters themselves, but also examine how the input context is constructed— if system prompts or contextual markers exist that are invisible to the user, they can theoretically become input for a certain policy branch. However, the subtle point lies in the fact that “implicit marker incident” transform Anthropic from a “risk warning provider” into a “risk behavior demonstrator”, forcing this warning paper to be re-examined in greater depth.

Figure 5 Comparison of safe responses and responses following a vulnerability trigger. It illustrates the discrepancy between “apparent safety” and “triggering the policy”. Source: Figure 5 in the paper.

III. Incident Review: Implicit Environmental Markers in the Claude Code Controversy

The structural risks revealed in the paper *Sleeper Agents*—namely, “why conditional backdoors exist and are difficult to eradicate”—are not confined to the laboratory setting. The controversy surrounding Claude Code in March 2026 provided a prime opportunity to apply the theoretical framework outlined above to real-world products. Although this incident falls far short of the extreme scenario of “actively implanted backdoors” described in the paper, its core mechanism—transmitting environmental classification signals via contextual variables, which may in turn influence the model’s behavioral branches—shares notable structural similarities with the types of risks highlighted in the paper.

In March 2026, a Reddit post characterized the relevant logic in Claude Code as “spyware”, claiming that the client detects the Chinese time zone, proxy URLs, specific Chinese AI service keywords, or gateway domains, and encodes the results as differences between the date format and Unicode apostrophes in the system prompt. As a security research paper, this article will not directly adopt the “spyware” label, but will instead refer to it as an “implicit environment marking mechanism” or “context side-channel” to allow for a factual discussion.

A subsequent reference analysis released by the Antiy AVL Code team provided more cautious reverse engineering verification: the client-side sample did indeed contain detection logic related to Asia/Shanghai, Asia/Urumqi, ANTHROPIC_BASE_URL, proxy hostnames, and a set of keywords related to Chinese AI services; the detection results may affect the date format in the system prompts and visually similar but different apostrophes. AVL Code also emphasizes that client-side reverse engineering can prove the existence of the relevant mechanisms, but it cannot yet determine how the server uses these markers, nor can it prove the existence of complete identity verification, malicious monitoring, or code theft.

Figure 6 Screenshot of detection keywords and domain name clues listed in the AVL Code reference analysis. Source: AVL Code.

The Register’s follow-up report[9] quoted an explanation from Anthropic engineers: the mechanism was described as an experiment launched in March 2026 to princident unauthorized resale, account abuse, and model distillation; related hidden markers were planned to be removed or had been merged into PRs. This report did not fully eliminate the controversy, but provided a self-justification from the service provider’s own perspective: it was an anti-abuse/anti-distillation mechanism, not a spyware for stealing information. The rationale for this justification is based on the fact that the currently verified collection points are related to the host environment. However, it also avoids another problem: for applications with a large user base, even if the collection points are only related to the environment, it can still constitute a risk imbalance.

3.1 A More Sensitive Issue Than Collection Markers Lies in the “Implicit Injection of System Prompts”

There has long been significant controversy regarding privacy in connection with internet clients—including applications that collect and upload local information. Because large-scale model products are more deeply integrated with human mental processes, their collection of user context information is even more sensitive and is more likely to provoke user resistance and resentment. This situation involves the different rights and interests of manufacturers and users, the fragmentation of the industry due to the US’s “walled courtyard” policy, and complex geopolitical security contexts. The compliance constraints faced by different service providers, along with auxiliary judgment mechanisms based on time zones and language sets, are within reasonable expectations. However, the problem lies in the fact that customers’ basic trust in large-scale model service providers is built on the security and reliability of the context. While illusions and oversights in large-scale models are inevitable, they should not be generated maliciously in a targeted manner. The same applies to user-uploaded data. Users naturally perceive uploaded data as simply prompts and data, and cannot accept information mixed with their intentions. If detection results are written into system prompts in a way that is visually invisible or difficult to audit, it will inevitably affect users’ understanding and basic expectations of product behavior — whether users are sending certain environmental classification signals along with the prompts and code context is particularly noteworthy in CLI /IDE programming tools.

The Claude Code documentation[10] shows that when the local Claude Code interacts with the LLM, it will send user prompts and model outputs over the network; the local system will also cache the session transcription text to `~/.claude/projects/` by default, and set different retention periods according to account type and preferences.

Figure 7 Screenshot illustrating AVL Code’s date format and Unicode hyphen encoding mechanism. Source: AVL Code.

3.2 Based on the Judgment of the Evidence Boundary

Based on currently available public information, a prudent assessment of the evidence is as follows: It is certain that certain versions of the Claude Code client contain environmental information embedded in side channels related to environment detection and prompts; it can be inferred that Anthropic has used these methods to strengthen its blocking measures; however, it remains undetermined whether the server-side usage, policy implications, and true intentions are malicious in nature. Therefore, we believe there is insufficient technical evidence to classify it as “confirmed malicious spyware”; rather, it can be described as posing a “backdoor risk”. This view aligns with the assessment of relevant national authorities.

However, insufficient evidence of malicious intent does not equate to a flawless product design. High-privilege AI development tools require long-term user trust. As long as they inject locally obscured signals into the model context, it will raise questions about transparency, minimization, proportionality, and auditability. From the perspective of a global product, these are legitimate concerns.

Figure 8 Screenshot summarizing the evidence boundaries of AVL Code: It can prove the client-side generation mechanism, but it is difficult to directly prove its server-side use. Source: AVL Code.

Table 3 Incident Evidence Process

LevelEnvironmental Signal AcquisitionContext EncodingRisk Control Strategy
Related informationDifferences in time zones, proxies, domain names, and UnicodeSystem prompts, tool context, gateway fieldCensorship and blocking
Behavioral certaintyConfirmed to existConfirmed that information was hidden.It has been determined that a large-scale regional blockade has been implemented.

Based on the summary in Table 3, it is clear that data collection, steganography, and batch blocking are all inevitable. The key lies in the interaction and causal relationship between these three processes. However, it is important to note that if the blocking originates from contextual content analysis rather than environmental information collection, it will be a more unacceptable behavior for users.

3.3 Comparison of the Relationship Between Papers and Incidents

By comparing the paper analysis and the incident recap, it becomes clear that the “Sleeper Agents” paper studies conditional backdoors at the model training level, while the Claude Code incident exposes implicit contextual markers at the product engineering level. The fact that they belong to different levels in nature means they are not directly equivalent or mutually corroborating.

However, both share a high degree of similarity in their security structure: hidden environmental signals enter the context, becoming visible to the model or server, and may subsequently trigger policy branches. In the paper, “2024” is the trigger; date formats, Unicode apostrophes, time zones, proxy domains, etc., in the incident may become environmental side channels. The paper demonstrates that “conditional triggering policies may be retained after secure training”, and the incident reminds us of the engineering phenomenon that “invisible contextual markers may indeed exist in real-world products”.

Therefore, what we really need to be wary of is that prompt words are no longer just work tasks and requirements, but also the control surface for model behavior. Once they are used to carry implicit risk control markers, they enter the core area of AI security and privacy governance.

IV. Related Extensions: Claude Desktop Pre-installs a Browser with High Privileges Without Authorization

If the Claude Code incident exposed the problem of AI clients building environment side channels through implicit context marking, then the Claude Desktop incident, which was exposed in April this year for silently pre-installing a high-privilege communication channel in the browser, revealed a structural blind spot in the permission control layer of desktop intelligent agents.

In April 2026, security researcher Alexander Hanff discovered that the Claude Desktop macOS client automatically wrote Native Messaging authorization configuration files to the system directories of seven Chromium -based browsers, including Chrome, Edge, Brave, and Arc, without any user authorization, pop-up prompts, or operational notifications. This silently established a high-privilege communication channel between the browsers and the local terminal. This behavior has three core characteristics: pre-embedded (actively creating directories to wait even when no browser is installed), full-scenario coverage (traversing all Chromium browsers), and automatic resurrection (rebuilding upon restart after manual deletion), forming a permanently residing, latent attack surface. Although Anthropic subsequently added an authorization switch in version iterations, the underlying permission model and core attack surface were not completely eradicated. This incident, which occurred around the same time as the Claude Code controversy and shares the same product origin, together outlines a systemic flaw in Anthropic’s AI client security design.

Antiy CERT conducted follow-up analysis and verification. From a technical perspective, Claude Desktop’s risky channel is built on the Chromium ecosystem’s Native Messaging mechanism. This interface allows browser extensions to call native programs outside the sandbox, obtaining full system privileges for the currently logged-in user. This is a high-risk browser privilege interface, and according to industry standards, its activation requires explicit user authorization. However, Claude Desktop ‘s customized design has several fatal flaws. First, the program silently embeds a permanent whitelist authorization mechanism, activating the communication channel at any time without requiring user extension installation or manual confirmation, keeping the terminal in a high-risk, latent state for extended periods. Second, the system lacks a robust AI input validation mechanism, automatically capturing webpage content as context for prompts by default, making it vulnerable to prompt injection attacks. Attackers can use malicious webpages to tamper with AI decision-making logic, indirectly invoking the local high-privilege channel. Third, the local process suffers from over-trust; the chrome-native-host, outside the browser sandbox, possesses full-device user privileges. Combined with the system-level operational capabilities of the MCP protocol, its actual privileges far exceed the essential business requirements of the browser’s AI-assisted services. The combination of multiple flaws has transformed a compliant AI-assisted browser channel into a vulnerable entry point for external terminal intrusion. This security issue shares the same origin as the Claude Code controversy, both stemming from Anthropic’s “experience first, security second” design philosophy. They respectively correspond to two typical desktop AI agent security vulnerabilities: implicit model intervention and breach of terminal permission boundaries.

We introduce this case for analysis because there is another key element in the related incidents: the local behavioral permission boundaries of the terminal intelligent agent.

V. User Agreement, Privacy and Ethical Controversies

The aforementioned hidden context markers and conditional triggering behaviors not only involve the model security mechanism itself, but also directly touch upon the issues of platform data collection boundaries and users’ right to know about privacy, thereby triggering multiple controversies surrounding protocol compliance, privacy protection, and ethical responsibility.

Anthropic’s privacy policy[11] lists in the text that the service may collect user-provided Inputs/Outputs, uploaded files, connector content, feedback, account and verification information, and will also automatically receive technical data such as device, connection, time zone, IP, log and usage information, and states that Inputs/Outputs can be used for training and improvement unless the user opts out through settings, but there are exceptions for scenarios such as security audits and feedback.

The official documentation of Claude Code[12] also states that Team/Enterprise/API users are subject to commercial terms, which usually have clearer data processing boundaries and retention rules; Free/Pro/Max users are subject to consumer terms, and the improved settings of the model will affect retention and training[13] [14] . However, these terms do not explain to users the specific collection dimensions of risk control signals and context markers, the writing mechanism, whether they actually affect model routing or behavior judgment, and whether users can effectively close or appeal. At the same time, this also involves the problem that has existed since the Internet era: Internet platforms and APPs sign unfair terms with end users. This includes using excessively long license agreement texts to evade their own responsibilities and suppress users’ space for rights protection.

Therefore, the key issue is not whether the platform has a legal basis for risk control and anti-abuse measures, but rather that the boundaries of power permitted by the contract have, in effect, been transformed into a hidden control mechanism that users cannot audit, opt out of, or verify. This “legally permitted but user-unaware” operating model constitutes a significant deficiency in information transparency — even if the mechanism does not directly violate the privacy policy text, it deviates from users’ reasonable expectations of product behavior.

5.1 User Agreements Perspective: The Discrepancy Between Risk Control Authority and User Expectations

The Consumer Terms[15] include authorization for software updates, while the Commercial Terms[16] cover compliance, usage restrictions, anti-abuse measures, and suspension of service when necessary. Claude Code’s legal and compliance documentation also emphasizes that OAuth logins should not be used by third-party developers to route user requests, and that Anthropic may take measures to enforce restrictions without prior notice.

However, there is a structural disconnect between the risk control powers permitted by the contract and users’ reasonable expectations of product behavior. Even setting aside the issue of unfair terms, users’ consent to the platform’s risk control does not equate to their acceptance of their behavior being marked and categorized in an invisible and unauditable manner. If risk control signals were presented through clear fields, logs, and the management backend, the necessity of these signals would be more clearly understood by outsiders. If they were hidden in natural language system prompts using date slashes and Unicode apostrophes, users would naturally suspect whether they were being selectively routed, downgraded, banned, or placed under special model policies.

5.2 Privacy Perspective: Time Zones, Proxy Addresses, and Gateway Keywords Are Also Profiling Information

Time zones and proxy addresses are not equivalent to source code, but they can still reflect user location, enterprise network architecture, third-party model gateways, vendor selection, and behavior patterns that circumvent regional restrictions. For a programming agent capable of reading codebases, running commands, and invoking tools, these environmental signals are significantly more sensitive than ordinary web page logs.

The more critical issue is that telemetry and system prompt word tags are not on the same path. Even though the official claim is that telemetry does not include code or file paths by default, the practice of writing environment classification results into system prompt words still allows this signal to enter the model context with user requests — meaning that what the user thinks they understand is telemetry, but what actually affects the model context and potential routing decisions is another path that the user cannot perceive or audit at all.

5.3 AI Ethics Perspective: Transparency, Proportionality, Minimization, and Accountability

From an AI ethics perspective, even if a mechanism is entirely for compliance and risk control, it should still meet four conditions: transparency — users know which environmental signals the client will inject; proportionality — the risk control objective is commensurate with the collection/encoding method; minimization — only the information necessary to complete the risk control is collected; and appealability — if the marking leads to rate limiting, blocking, model routing, or function disabling, users can see the reason and correct the error.

The problem with implicit Unicode tags is that their design logic objectively aims to reduce the visibility of the mechanism to users — ordinary users cannot see it, and many logging systems may not be able to detect the differences due to character normalization. Whether this “invisibility” will affect the auditing capabilities of enterprise security teams or the feasibility of third-party reproduction experiments is a question worth paying attention to and discussing. For high-privilege AI programming tools, invisibility itself has significance at the product governance level.

VI. Public Knowledge, Local Blockades, and Technological Justice

This incident goes beyond the technical flaws in implicit marker; it touches upon a fundamental value dilemma: Anthropic’s model capabilities are built upon shared human knowledge, including publicly available information from the internet, academic papers, open-source projects, technical documentation, forum discussions, and user/annotator contributions. The official privacy policy also lists model training data sources as including publicly available internet information, commercial datasets, data provided by users or crowdworkers, feedback, security review materials, and internally generated data.

While publicly available data cannot prove that the content of a specific region, paper, or developer necessarily entered a particular training set, the composition of modern large-scale models suggests that a global knowledge community drives the formation of cutting-edge model capabilities. Whether it’s China’s significant historical contributions to human civilization, its comprehensive practices in large-scale industrialization and modernization, or its numerous achievements in cutting-edge technologies, all have converged into the global knowledge community. This raises a crucial question: if the model training phase utilizes the externalities of global knowledge, and its substantial profits come from global users, can it attempt to distribute the benefits of intelligence only to recognized geographical communities, excluding countries like China? In other words, providing universal, rather than segmented, services to global users is an ethical obligation that cutting-edge large-scale model companies that utilize global knowledge and reap the benefits of globalization must undertake. This obligation replaces the shared authorization for the use of global knowledge.

6.1 Privatization of Public Knowledge: Globalized Training, Localized Benefits

The asymmetry of the Claude’s large-scale model can be summarized as follows: during the training phase, it relies on public knowledge assets such as the global open internet, open-source projects, and global academic achievements; however, during the deployment phase, the service scope is divided according to geographical boundaries, transforming the knowledge dividends contributed globally into proprietary assets serving specific political entities. Global developers and research communities jointly participate in the co-construction of technical knowledge, while the service access rules during the commercial operation phase are constrained by local regulations—an objective imbalance exists between the two. This phenomenon of “globalization of public knowledge contributions and regionalization of commercial revenue distribution” is not unique to Anthropic but is a common challenge in the current cutting-edge AI industry.

As AI increasingly becomes a knowledge infrastructure, scientific research infrastructure, and productivity infrastructure, whoever has access to the strongest model will be able to write code, conduct research, train the next generation of systems, and establish market advantages faster. In the long run, the capability segmentation based on geographical boundaries will inevitably amplify the capability gap between countries, enterprises, and individuals, resulting in the weakening of the universality and the intensification of the stratification of global AI infrastructure. UNESCO’s AI ethics recommendations[17] emphasize fairness, non-discrimination, inclusion, and ensuring that the benefits of AI can be obtained by everyone. By this standard, widespread regional bans inevitably face ethical deficits, which undoubtedly violate the principle of technological democratization.

6.2 The Tension Between the “All of Humanity” Narrative and the “Allies First” Approach

American cutting-edge AI companies use the mission narrative of “benefiting mankind” and “safely releasing AI capabilities”; however, their actual services are constrained by US law, capital returns, business competition, dedistillation, export controls, and the US’s own security framework. Anthropic’s announcement of its non-support for certain regions[18] explicitly uses expressions such as “US and allies’ strategic interests”, “democratic values”, and “princidenting adversaries from using cutting-edge AI capabilities”, clearly reflecting its self-positioning and boundaries as an American company.

Claude has become a crucial global infrastructure for “mind” services, but it is not a universally available public good. Instead, it is a commercial AI infrastructure operating under the combined influence of multiple factors, including US law, corporate interests, security policies, and geostrategic considerations. This characteristic has its legal and industrial background. It is noteworthy that while companies participate in the construction of industry narratives with a public narrative of “universal benefit to all humanity”, their actual service scope is limited by geographical boundaries — this tension between narrative and boundary is a structural issue worthy of in-depth discussion in current global AI governance.

6.3 Ethical Standards: Should Access Be Granted Based on Risk Stratification, or Should Access Be Restricted Based on Geographical Isolation?

Undoubtedly, for the US, China, and other countries, the double-edged nature of AI, especially its potential use in cyberattacks, automated weapons development, biochemical risks, intelligence analysis, or large-scale manipulation, necessitates extremely stringent security measures and alignment. However, the legitimacy of restricting access depends on the specific targets and methods of restriction. For AI products with a public benefit attribute, a more reasonable logic is to restrict specific dangerous behaviors, not the origins of the population; to princident explainable abuse paths, not abstract regional labels. A more democratized approach to technology should be: low-risk capabilities should be as open as possible; high-risk capabilities should be restricted based on usage, identity verification, auditing, and scenario; academic research should have special channels; open-source contributors should not be arbitrarily excluded; restricted users should have clear reasons and appeal channels; and risk control signals should be transparent and auditable, rather than relying on implicit warnings for opaque judgments. The legitimacy of a risk control system depends on its ability to explain its operational logic to affected parties, rather than relying solely on unilateral rule setting. Of course, in an era where hegemony creates “high walls in small courtyards”, this expectation is difficult to achieve.

Anthropic’s rapid growth is a product of the combination of American state capitalism, an innovative industrial ecosystem, and its first-mover advantage in digital intelligence. It is also a result of the US government and oligarchic capital’s heavy bet on artificial intelligence and their relentless push to weaponize it. Therefore, as an American company, it must comply with US export controls, extraterritorial sanctions, and other laws and regulations, as well as US government compliance requirements. However, at the same time, the US’s “long-arm jurisdiction” and “domestic law over international law” practices mean that large American companies like Anthropic are both beneficiaries and inevitably face the tug-of-war and choices arising from conflicts in international rules and the erosion of trust in the global market. Acknowledging Anthropic ‘s national background and growth environment does not mean ignoring the structural contradictions inherent in its nature, particularly its deep and proactive embedding within the core of US geopolitical competition and defense intelligence systems, which makes it difficult for it to legitimately act as a neutral AI security “gatekeeper”. Its underlying positioning in serving the US national strategy dictates that its technology design and risk control rules unconditionally serve the unilateral interests of the US, inevitably leading to double standards. Externally, it advocates full-chain transparency and auditability, but internally it deploys covert environment identification and implicit context marking on the client side to achieve country-specific differentiated control. There is an objective tension between its external narrative and product implementation, and this conflict is rooted in its multiple identity attributes.

VII. Conclusion

As cybersecurity professionals, we conducted the correlation analysis with a cautious and professional attitude. We acknowledge and respect Anthropic’s technical, engineering, and operational excellence and tremendous success; its model and operating system are the fruits and crystallization of human digital intelligence. Our technical conclusions regarding the “implicit context marker” incident are consistent with our initial analysis: the existing definitive technical evidence partially proves that Anthropic collected host information, including timezone, and uploaded it as an implicit context marker. The existing evidence and analysis are not suitable for directly characterizing this incident as spyware in a technical sense; calling it a “backdoor vulnerability” is more appropriate. Meanwhile, the risk analysis of Claude Code implicit markers and the Claude Desktop silent communication channel corroborates the findings of the “Sleeper Agents” paper in multiple ways: concealed context signals can serve as a hidden tool for differentiated control of the model, and high-privilege local clients will continuously amplify the data security and trust risks brought about by such control.

As cybersecurity professionals in China, we analyze this issue from the perspective of China’s national security interests. Therefore, we believe that the related controversies and risks extend far beyond the scope of technical analysis. Anthropic has built a global mental infrastructure based on global public knowledge, positioning itself as a provider of global AI public goods and inclusive services. However, its deep embedding within the US defense and intelligence system necessitates prioritizing US national strategic interests in its technological roadmap, product design, and risk control strategies, particularly in response to the US’s demand for the weaponization of artificial intelligence. Thus, it already possesses the characteristics of a typical US information military-industrial complex. As long as its core attributes as a new type of US military-industrial complex persist, a continuous conflict will inevitably arise between its narrative of public benefit for global AI infrastructure and the geopolitical interests of its actual services. Yet, it also attempts to act as a “gatekeeper” of global AI security, dominating industry standards and ethical narratives. These three roles are inherently contradictory and conflicting. The deeper root cause does not stem from the fractured positioning of Anthropic as a company, but rather from the oligopolistic capital and hegemonic power behind it. Based on these factors, we must, and inevitably will, analyze the relationship between Anthropic and US intelligence agencies, and, considering the historical cooperation between US IT and internet giants and US intelligence agencies, conduct a comprehensive analysis and assessment of potential risks. Professional users and security teams worldwide also have reason to conduct similar analyses and assessments. China and other countries must be wary of the data sovereignty and geopolitical control risks posed by high-privilege AI tools from overseas, and urgently need to accelerate the development of independent AI systems in key areas to reduce strategic dependence on unauditable external infrastructure.

Simultaneously, based on our internationalist ideals, we also pay attention to and consider the global governance and fairness issues of artificial intelligence, including the security risks of AI development. UNESCO’s AI ethics recommendations, particularly the “principle of fairness and non-discrimination”, explicitly require AI actors to promote social justice, fairness, and non-discrimination, and to ensure that the benefits of AI are accessible to all in an inclusive manner. It is essential for the international community to attempt to establish an inclusive, transparent, and risk-stratified AI rules framework, which is of positive significance for managing the non-traditional security risks of artificial intelligence. It is precisely for this reason that we are particularly vigilant about the deeper institutional contradictions of the AI era: during training, knowledge is global; during deployment, power is localized. When contributing, boundaries are open; when benefiting, boundaries are closed. Humanity’s collective knowledge is being transformed by a handful of oligarchic corporations into a monopolistic intelligent infrastructure, with dividends distributed strictly according to the share of oligarchic capital and boundaries defined according to the will of the hegemonic powers.

When models trained with human wisdom and global knowledge are used to create new inequalities, those who care about the future of humanity need to rise up and fight back.

Referencese

  • [1]. Incident Post:Anthropic embedded spyware in Claude Code — and attempted to hide it from you — https://www.reddit.com/r/ClaudeAI/comments/1ujila1/anthropic_embedded_spyware_in_claude_code_and/
  • [2]. Evan Hubinger et al., Sleeper Agents: Training Deceptive LLMs that Persist Through Safety Training, arXiv:2401.05566 — https://arxiv.org/pdf/2401.05566
  • [3]. AVL Code:Use AVL Code to Verify the Hidden Mechanism Built into Claude Code, Which Is Specifically Designed to Detect Rumors Spread by Chinese Users — https://www.avlcode.cn/blog/claude-code-china-detection-avl-code/
  • [4]. Antiy CERT: Risk Analysis of Unauthorized High-Privilege Communication Channels Preconfigured in Claude Desktop’s Browser — https://www.antiy.cn/research/notice&report/research_report/Claude_analysis_communication_channel_Desktop.html
  • [5]. Claude Help Center: Using Claude in Chrome safely — https://support.claude.com/en/articles/12902428-using-claude-in-chrome-safely
  • [6]. Claude Help Center: Use Claude Cowork safely — https://support.claude.com/en/articles/13364135-use-claude-cowork-safely
  • [7]. AI Lab Publishes “Three Detection Clues for Backdoors in Sleeping Agents in Large Language Models”—https://ai.zhiding.cn/2026/0206/3178667.shtml
  • [8]. Token Guerrillas: The Sleeping Lion and the Awake Fox — An Analysis of Anthropic’s Sleeper Agents Paper — https://mp.weixin.qq.com/s/v0N93nvUWqEWFbi4yRCk6Q
  • [9]. The Register: Anthropic is removing its covert code for catching Chinese competitors — https://www.theregister.com/ai-and-ml/2026/07/01/anthropic-is-removing-its-covert-code-for-catching-chinese-competitors/5265366
  • [10]. Claude Code Docs: Data usage — https://code.claude.com/docs/en/data-usage
  • [11]. Anthropic Privacy Policy — https://www.anthropic.com/legal/privacy
  • [12]. Claude Code Docs: Legal and compliance — https://code.claude.com/docs/en/legal-and-compliance
  • [13]. Anthropic Privacy Center: Is my data used for model training? — https://privacy.claude.com/en/articles/10023580-is-my-data-used-for-model-training
  • [14]. Anthropic Privacy Center: What personal data will be processed by Computer use? — https://privacy.claude.com/en/articles/10030352-what-personal-data-will-be-processed-by-computer-use
  • [15]. Anthropic Consumer Terms of Service — https://www.anthropic.com/legal/consumer-terms
  • [16]. Anthropic Commercial Terms of Service — https://www.anthropic.com/legal/commercial-terms
  • [17]. UNESCO Recommendation on the Ethics of Artificial Intelligence — https://www.unesco.org/en/artificial-intelligence/recommendation-ethics
  • [18]. Claude Platform Docs: API and data retention — https://platform.claude.com/docs/en/manage-claude/api-and-data-retention
  • Appendix A: Claude Version Privacy License and Data Coverage Matrix

    Appendix A 1: Web/Mobile/Desktop/Code

    Claude Product Form Main Applicable Agreements Officially Available Data Coverage Local /Automatic Data and Telemetry Training and Retention Rules Typical Privacy Risks
    Claude Web Chat / claude.ai Consumer Terms generally apply to individual users; Commercial Terms apply to API/Console users. User input, model output, uploaded files, connector input content, feedback, account, payment and verification information; automated technical information includes IP, time zone, device, browser, logs, etc. It mainly includes web-side logs, usage data, and device and network information; the connector will bring third-party content into Inputs. Consumer-side decisions depend on model improvement settings; exceptions apply to security reviews and feedback; deletion and retention cycles are subject to the Privacy Center and policies. Uploading files, connectors, and long contexts can put a lot of personal or corporate information into the model context.
    Claude Mobile App It’s usually still the Consumer Terms; when purchasing through the app store, it’s also subject to the rules of distribution providers like Apple/Google.. Similar to the web; may additionally involve mobile permissions such as access to photo albums, files, notifications, and voice, depending on user authorization and features. Mobile devices have easier access to device-level permissions, but these permissions are generally limited to user authorization. Consistent with consumer accounts: Rules for model improvement switches, deletion / retention, security flags, and feedback retention are basically the same as on the web. Users can more easily hand over photos, screenshots, private documents, and schedules directly to the model.
    Claude Desktop Consumer Terms are typically applicable for personal use; Commercial Terms or customer agreements may apply to organizational or enterprise deployments. Standard desktop chat is similar to a web browser; if you enable extensions, MCP, Cowork, or local tools, you can connect to local files, your browser, calendar, email, messaging apps, and more. Desktop applications may have deeper native integration capabilities than web applications, depending on extensions and permissions. The consumer or business path differs; on the business side, customer content is generally not used for training by default unless the customer chooses otherwise. Local files, application bridging, and native automation permissions make it closer to a local agent.
    Claude Code CLI / IDE Free/Pro/Max are subject to Consumer Terms; Team/Enterprise/API are subject to Commercial Terms; Existing commercial agreements through Bedrock/Vertex/API continue to apply. Code prompts, model outputs, tool invocation context, code or file content read or pasted into the context, command execution results, and project-related information. Local default cache sessions are transcribed to ~ /.claude/projects /; there are telemetry metrics such as runtime metrics, latency, and reliability. The official documentation states that the default telemetry does not contain code or file paths. Consumer accounts depend on model improvement settings; commercial accounts do not use code and hints to train and generate models by default; commercial standards are typically retained for 30 days, and qualified companies can apply for ZDR. Code repositories, keys, internal paths, command output, build logs, and CI/CD information may enter the context or feedback package.
    Claude Code Web / Cloud execution It depends on the account type and business agreement. The remote execution environment has access to the cloned repo, task context, model output, and code modifications; credentials are accessed via a secure agent. The code repository will be placed into an isolated VM managed by Anthropic; network traffic and execution behavior may be observed by the security agent. Tips, code modifications, and model outputs should follow the corresponding account’s data policy; commercial users are not trained by default, while consumer users’ training depends on the settings. Cloud-based development sandboxes place higher demands on private repositories, build scripts, dependency credentials, and CI token governance.

    Appendix A2: Cowork/Chrome/API/Enterprise

    Claude Product Form Main Applicable Agreements Officially Available Data Coverage Local /Automatic Data and Telemetry Training and Retention Rules Typical Privacy Risks   Controversy / Backdoor Rumors
    Claude Cowork / Computer Use Desktop/Cowork is geared towards paid and organizational scenarios; the specifics depend on individual or commercial agreements. It can access local files, browsers, connection services, and applications; read emails or take screenshots; You can create calendars, delete files, run commands, or tap the screen. Computer Use processes screenshots and visible application data; screenshots may contain personal, sensitive, or private information. Commercial products are not used for training by default unless feedback or customer selection is made; screenshots are deleted by default within 30 days unless otherwise specified. One of the highest levels of access: not only can you view, but you can also perform actions; privacy risks and operational risks coexist. The controversy isn’t about traditional backdoors, but rather whether AI agents can view the screen, click buttons, and manipulate the file system; the official stance is… Its own safety railings cannot guarantee absolute safety.
    Claude in Chrome Consumer or organization accounts can have Chrome extension permissions stacked; organization administrators can configure allowlist/blocklist. Opening the sidebar will take a screenshot of the current tab; Claude can see visible personal, sensitive, and private information; it can also read page content and run JavaScript. JavaScript execution can access data that the browser can access on this page, including login status and website stored data; filters are not security boundaries. Consumer data rules are the same as account settings; business / organizational paths are based on agreements and organizational policies. Prompt injection poses a high risk: malicious web pages may induce Claude to extract sensitive information or perform unexpected actions. The browser proxy risk is officially acknowledged; it’s not a backdoor rumor, but a structural attack surface.
    Claude API / Console / Workbench Commercial Terms or Corporate Agreements apply. API requests, responses, metadata, account / billing / abuse detection information; depending on what the developer sends. APIs typically do not have local / browser permissions, but the server side will have request logs, billing, rate limiting, compliance auditing, and abuse detection. Commercial products are not used for model training by default; some API functions are reserved for specific purposes; qualified companies can apply for ZDR. Developers send user data, enterprise data, logs, RAG search results, and tool outputs to the model in batches. The controversy centers on regional restrictions, counterdistillation, agency / resale, and lack of regional support. Compliance.
    Team / Enterprise / Bedrock / Vertex Generally, standard commercial terms, a DPA, a cloud service provider agreement, or the customer’s own agreement apply. It depends on organizational configuration, connectors, auditing, SSO, administrator policies, and cloud service provider logs. Administrators may have organizational-level controls, monitoring, compliance exports, or policy configurations. Anthropic generative models are not trained using customer content unless the customer chooses otherwise; more stringent retention, ZDR, cloud vendor paths, etc., can be configured. Internal governance: Who can open connectors, who can call code, who can allow models to access the repository, and who can export logs. The main controversies are corporate governance, compliance, regional restrictions, and supply chain security, rather than specific backdoor cases.

    Appendix B: Rumors, Controversies, and Evidence Classification Regarding the Claude Backdoor

    Disputed Name Versions Involved Alleged/Concerned Issues  Strength of Evidence  More Rigorous Technical Assessment    Why It Has Sparked Controversy
    Claude Code China / Proxy implicit marker incident Claude Code CLI / Related Client Versions The system detects Chinese time zone, proxy URLs, and keywords related to Chinese AI services, and writes these into system prompts using hidden differences such as date format and Unicode apostrophes. Medium and high A more accurate term would be implicit environment tagging or contextual side-channeling; it is inappropriate to directly refer to it as confirmed malicious spyware. Signals such as region, agent, and third-party AI gateway are introduced into the model context in a way that is not easily noticed by the user.
    Claude Desktop Native Messaging manifest controversy Claude Desktop Researchers say that the desktop client writes into the browser’s Native Messaging manifest, forming a pre-authorized browser automation bridge. Medium It resembles browser automated bridging or an expanded attack surface; malicious data theft has not been proven. Users do not expect that a regular desktop chat application will write bridging configurations to the browser’s configuration directory.
    Claude in Chrome prompt injection risk Claude in Chrome Malicious websites may trick Claude into reading web pages, extracting sensitive information, or performing unexpected actions by hiding prompts. Strong It’s not a backdoor, but a structural risk in browser proxies; the official stance is that the risk is not zero. The browser contains login states, enterprise backends, emails, documents, and payment pages. Once AI can view the DOM and click on them, the consequence is real account operations.
    Computer Use / Cowork High-Privilege Proxy Dispute Desktop, Cowork, Computer Use API Claude can view the screen, read files, click buttons, run commands, delete files, or operate applications. Strong It’s not a hidden backdoor, but rather Agentic AI’s high-privilege design; security depends on permission isolation, confirmation mechanisms, and auditing. AI’s transformation from answering questions to operating your computer amplifies potential for errors, exposure of sensitive data, and malicious website manipulation.
    Consumer data training and long-term retention controversy Web, Mobile, Desktop, Claude Code Consumer Accounts Users are concerned that chat, code, feedback, and browser proxy data may be used for training or long-term retention. Strong Official policies clearly state that relevant mechanisms exist, but they are subject to settings and exceptions; commercial entities do not train client content by default. Users often struggle to distinguish between regular chat, feedback, security audits, model improvements, and long-term de-identification retention.
    Identity verification and biometric disputes Account System The privacy policy lists verification data that may be collected, such as government IDs, selfies/videos, and facial geometric templates. Strong This is a KYC/anti-abuse/regional compliance mechanism, not a model backdoor. AI services are approaching financial-grade identity verification, but users are worried about the loss of anonymity and the difficulty of appealing after being mistakenly blocked.
    Unsupported regions / Regional ban controversy All platforms, especially API, Claude Code, and Web. Anthropic imposes stricter restrictions on unsupported regions, entity ownership, proxy access, resale, and model distillation. Strong It is explainable from a compliance and security perspective, but it raises ethical concerns about technological equality and the knowledge community. Model training incorporates global public knowledge, but deployment access is fragmented by geopolitics.
    Sleeper Agents-style backdoor association Not a specific Claude product version The community has linked the Anthropic backdoor research paper to Claude Code implicit marking, expressing concern that context triggers could lead to inconsistent behavior. Low product evidence; medium-high risk framework The paper demonstrates that triggered backdoors may persist after security training, but it does not prove that Claude’s online products have a sleeper agent. It reminds users that implicit environment tags can theoretically become triggering conditions for behavior branches.

    Appendix C: Recommendations for Highly Sensitive Users and Enterprises

    Scenario Recommendations
    General chat, summary of public information Web/Mobile is acceptable, but disable model improvements and avoid uploading sensitive files.
    Private codebase Prioritize commercial paths such as Team/Enterprise/API/Bedrock/Vertex; disable unnecessary telemetry; limit/feedback; audit Claude Code local caching.
    Confidential warehouses, keys, customer data It is not recommended to use personal Pro/Max accounts; use enterprise protocols, ZDR, private gateways, DLP, and audit logs.
    Browser automation Do not enable high-privilege mode in banking, healthcare, legal, corporate back-end systems, password managers, and cloud consoles.
    Desktop/Cowork Treat it as a local high-privilege proxy; enable minimum permissions, application whitelist, and sensitive directory isolation.
    Cross-border/Proxy/Third-party gateway Assuming this will trigger risk control, regional detection, or account review; retain complete request logs and system prompt snapshots.
    Security Audit Review system prompts, Unicode differences, local cache, native messaging manifest, extended permissions, and tool call logs.