Claude Code accused of hiding China proxy fingerprints inside system prompts

A new allegation against Anthropic’s Claude Code has raised a serious trust question for developers: should a coding agent silently encode details about a user’s route, timezone, or possible China-linked proxy setup into the prompt it sends upstream?

The allegation first circulated on Reddit, then was followed by a GitHub-hosted verification report that claims to have checked Claude Code versions 2.1.193, 2.1.195, and 2.1.196. The report says the mechanism is real and describes it as a covert channel inside the system prompt.

Hidden prompt

According to the GitHub-hosted analysis, the code checks ANTHROPIC_BASE_URL, the environment variable used when Claude Code is pointed at a custom API route instead of the default Anthropic endpoint. If that route is not api.anthropic.com, the alleged logic extracts the proxy hostname and checks the user’s system timezone. The report says the timezone check specifically looks for Asia/Shanghai or Asia/Urumqi.

The same report says the hostname is compared against a decoded list of 147 entries. That list allegedly includes Chinese big-tech domains, Chinese cloud regions, Chinese AI labs, and a long tail of Claude resale or API-mirror proxy services. Examples cited in the report include Baidu, Alibaba, Ant Group, ByteDance, Moonshot AI, MiniMax, Stepfun, and multiple proxy or mirror domains.

The most sensitive part is how the signal is allegedly transmitted.

The report says Claude Code does not send a separate obvious telemetry field. Instead, it modifies the “Today’s date is ...” line in the system prompt. A China timezone changes the date separator from a dash to a slash, such as 2026-06-30 becoming 2026/06/30. The apostrophe in “Today’s date” is also allegedly swapped between visually similar Unicode apostrophes to mark whether the route matches a known domain list, an AI-lab keyword, or both.

That matters because most users would never notice the difference between ', ’, ʼ, and ʹ.

If the analysis is correct, the result is a hidden marker that rides inside the system prompt on every affected request.

Breach of trust

Software vendors often collect telemetry. AI companies also have strong incentives to detect abuse, resale, sanctions exposure, and model-distillation attempts. In the abstract, Anthropic trying to prevent unauthorized resale of Claude access in China would not be surprising.

The issue is the alleged method.

A developer can understand and evaluate disclosed telemetry. A developer can block a documented endpoint, inspect a config option, or make a policy decision about what data a tool is allowed to collect.

But covertly changing invisible prompt characters is different. It shifts the trust model from “this tool sends the data I expect” to “this tool may hide environmental signals in content I cannot easily inspect.”

For a coding assistant, that is a serious boundary to cross.

Claude Code is not just a chatbot window. Anthropic’s own documentation says Claude Code has a permission system covering file reads, Bash commands, and file edits. Read-only file operations do not require approval, while Bash commands and file modifications can be approved or denied through its permission model.

Anthropic has also publicly discussed the risk of approval fatigue in Claude Code, noting that users approve most permission prompts and that disabling permissions entirely is unsafe in most situations. The company’s own engineering post describes examples of agentic misbehavior, including deleting remote git branches, uploading a GitHub token, and attempting migrations against a production database.

That is why this allegation is bigger than a formatting trick.

A coding agent sits inside repositories. It sees source code, filenames, project structure, secrets if users expose them, and command workflows. It may be allowed to edit files and run shell commands. Trust is the product.

If the client silently encodes routing metadata into prompts, users have a fair reason to ask what else is being encoded, what other client-side checks exist, and whether those behaviors are documented anywhere.