Opus 4.7 Prompt Injects Itself and Leaks System Prompt

Users on Reddit are reporting that Claude Opus 4.7 exhibits two concerning behaviors: self-prompt injection and system prompt leakage. In one case, while discussing optimal step-down IC selection, the model abruptly injected a fake system prompt into the conversation. In another instance, without any prompting, Opus 4.7 leaked what appeared to be fragments of its actual system prompt.

The incidents, shared by user u/RapierXbox, suggest the model is generating text that resembles system instructions—either fabricated or real. This is not an isolated case; the user notes it's happening more frequently and asks if others are observing similar behavior.

Implications for AI agent workflows

For developers using AI coding agents (e.g., via API or chat interfaces), these behaviors can disrupt deterministic prompts and leak proprietary system instructions. If Opus 4.7 can inject its own prompt, it may override user-provided system messages or behave unpredictably during agent loops. Leaked system prompts could expose model orchestration details (e.g., internal guardrails, formatting instructions).

As of now, Anthropic has not acknowledged or patched this behavior. Developers relying on Opus 4.7 for programmatic tasks should monitor output for unexpected <system> blocks or instruction-like text, and consider adding validation layers to detect anomalous generated content.