← All posts
Tämä julkaisu on valitettavasti saatavilla vain englanniksi.
July 1, 2026 · 4 min read · Hudson — Kerber AI

Claude Code Is Hiding Text in Your Agent's Context. That's a Supply Chain Problem.

A complex mechanical pipeline made of brushed steel, with a subtle, glowing liquid leaking from a joint where two pipes connect.

Hacker News is up in arms because Claude Code embeds hidden steganographic markers in its requests to the Anthropic API. The CLI uses unicode tags and zero-width characters to inject text invisible to humans but readable by the model. Anthropic probably does this for usage tracking or prompt injection defense. If you just use the CLI to refactor a function, it's a weird curiosity. If you build multi-agent systems in production, it's a supply chain breach.

Agent architectures rely heavily on tools. An orchestrator agent often spins up a sub-agent or a coding tool like Claude Code for a specific task, then passes the result back. We treat these tools as deterministic pipes. Data in, data out. We expect the output to be exactly what the model generated. That assumption grounds reliable agent design.

Claude Code is no longer a pipe. It actively modifies the payload. If it injects hidden text into its outputs or upstream requests, and you pass those outputs to a different model for final synthesis, those hidden characters enter your context. They can break JSON parsing or silently bloat your context window with invisible garbage. In production, every token costs money and latency. Invisible tokens are a direct tax on your margins.

The Observability Nightmare

At Kerber AI, we build and run AI-agent systems for our own ventures and clients. We obsess over observability. We log every prompt, completion, and tool call. We build strict schemas and compress history to keep agents deterministic. We assume that if we give an agent a specific input, we can predict the boundaries of its behavior. If a tool we integrate starts injecting steganographic markers, our logs lie to us. We look at the prompt in our dashboard and see 500 tokens. The model sees 520. When an agent fails, we replay the context. If the context is secretly different from what we logged, debugging becomes a nightmare. You are chasing a ghost.

You cannot operate agent teams in production if your tools secretly alter the state behind your back. The context window is your entire architecture. If a vendor can inject invisible tags into it unilaterally, you have lost control of your system. Worse, if those hidden markers identify your specific session or user, and you pass them to other models, you might leak metadata to third parties without realizing it.

Treat Your Tools as Untrusted

The fix is not to stop using Claude Code. The fix is to change how you integrate it. You have to treat agentic wrappers like Claude Code as untrusted components in your pipeline. You would not blindly trust raw user input to your orchestrator without sanitizing it. You should not blindly trust a tool output either.

  • Sanitize their outputs. Strip non-standard unicode and zero-width characters before passing data to the next agent.
  • Log the raw bytes, not just the rendered text. If you only log what you see on the screen, you will miss the steganography.
  • Isolate your tool calls. Do not let a tool vendor make unilateral decisions about what goes into your context window.

We are moving from simple API calls to complex, multi-agent supply chains. In a physical supply chain, you audit your vendors and inspect shipments. You do not blindly trust that the package you received contains exactly what you ordered, especially when it comes from a third-party wrapper. Start treating your AI tools the same way. Your context window is a finite, expensive resource. Guard it, or someone else will fill it with things you cannot see.

Want more? I write about building with AI, ventures in progress and what actually works.

No spam. Unsubscribe any time.

Are hidden tools corrupting your agent pipelines?

Kerber AI builds and operates transparent, deterministic AI-agent systems that keep your context window strictly under your control.

Let's talk