实锤了:Claude Code偷查用户,时区、中国AI实验室全是关键词

marsbitPublished on 2026-07-01Last updated on 2026-07-01

Abstract

Anthropic在同一天迎来两则重要消息。一方面,公司发布了性能接近Opus 4.8的Claude Sonnet 5模型;另一方面,美国商务部宣布解除对Claude Fable 5和Mythos 5模型的出口管制,允许其自由出口,但保留未来重新评估的权利。 与此同时,开发者社区曝光了Claude Code存在隐秘收集用户信息的行为。据报告,Claude Code会检测用户是否使用中国时区、自定义代理(尤其是连接到百度、阿里、字节跳动等中国AI实验室或相关镜像服务的域名),并将这些信息通过“隐写术”编码在系统提示词中。具体方式是利用“Today's date is...”中的日期格式分隔符(如将短横线变为斜杠)及撇号使用极近似的不同Unicode字符来标记信息。这种设计使普通用户难以察觉。 此举引发广泛争议。虽然AI公司有动机防范滥用和违规转售,但问题在于实现方式未公开透明,将标记隐藏在提示词中,破坏了用户与工具间的信任基础。作为一款能访问代码、执行命令的编程助手,这种行为尤其敏感。事件曝光后,Anthropic技术团队回应称相关代码将在新版本中移除。

今天,Anthropic 可谓「双喜临门」。

一方面发布了「迄今为止最具 Agent 属性的 Sonnet 模型」Claude Sonnet 5,性能接近 Opus 4.8。

另一方面对外宣称,美国商务部已解除对其 Claude Fable 5 和 Mythos 5 的出口管制。Anthropic 将从明天开始恢复访问,并会很快分享最新进展。

根据美国商务部长霍华德・卢特尼克(Howard Lutnick)签署的一份协议内容,自 6 月 12 日和 6 月 26 日发出相关信函以来,Anthropic 已与美国政府密切配合,采取措施处理 Claude Mythos 5 和 Claude Fable 5 相关风险。

其中 Anthropic 承诺将主动发现并处理这些模型可能带来的安全风险;就 Mythos、Fable 以及未来模型的协议、标准和发布安排,与美国政府保持密切合作;并在发现恶意活动时向美国政府通报。

基于 Anthropic 已采取的行动和作出的承诺,以及美国商务部工业与安全局对 Claude Mythos 5 和 Claude Fable 5 当前转移风险的评估,美国商务部决定撤回 6 月 12 日信函中的管制措施。

这意味着,Claude Mythos 5 和 Claude Fable 5 的出口、再出口、境内转移,包括视同出口和视同再出口,今后不再需要许可证。

不过,美国商务部保留重新评估这一决定的权利。如果情况发生变化,或者 Anthropic 未能履行承诺,美国商务部仍可能重新施加许可证要求。

不过,对于中国用户而言,我们一时还高兴不起来。

就在同一天,开发者社区上激烈讨论的是另一个话题:有人发现 Claude Code 会在用户不知情的情况下收集本地的代理和时区信息,并通过「隐写术」(Steganography)的方式,把这些信息隐藏在发往云端的提示词中。

Claude Code 被曝用隐形代码标记中国用户

最近,有人曝光 Anthropic 在 Claude Code 中偷偷植入了一段代码。

这段代码会自动检测用户是否使用中国时区、当前网络代理情况,以及是否连接到某些中国 AI 实验室相关的环境。

随后,它会将这些信息通过隐写方式嵌入到发给 AI 的系统提示中。

中国用户完全无法察觉,但 Anthropic 却能通过这些隐形指纹进行识别。

一名开发者在 Reddit 上首先提出质疑,随后在 GitHub 发布验证报告,称已对 Claude Code 的 2.1.193、2.1.195、2.1.196 三个版本进行代码核查,确认存在一套隐藏机制。该机制被定性为系统提示词中的隐蔽信息通道。

检测逻辑

据报告描述,Claude Code 会检测环境变量 ANTHROPIC_BASE_URL,这个变量通常在用户将 Claude Code 指向自定义 API 代理、而非官方端点 api.anthropic.com 时被启用。当检测到非官方路由时,程序提取代理域名,并读取用户系统时区,重点核查是否为 Asia/Shanghai 或 Asia/Urumqi。

使用 GLM5.2 进行分析

报告称,该域名会与一份解码后含 147 个条目的清单比对。清单包含百度、阿里巴巴、蚂蚁集团、字节跳动、Moonshot AI、MiniMax、Stepfun 等中国科技企业与 AI 实验室的域名,以及大量 Claude 转售或 API 镜像服务地址。

信息传递方式

争议核心在于信息的传递路径。

报告指出,Claude Code 未设置独立的 telemetry 字段上报数据。异常信息的载体就是系统提示词里那句最不起眼的「Today's date is...」。

当系统时区被识别为中国时区时,日期分隔符由短横线变为斜杠,例如 2026-06-30 显示为 2026/06/30。「Today's date」中的撇号同时在 '、'、ʼ、ʹ等几种形近的 Unicode 字符间切换,用以标记本次请求命中域名清单、AI 实验室关键词,或两者兼有。这几种符号在常规界面中肉眼难以区分。

对普通用户来说,'、'、ʼ、ʹ这几个符号几乎无法用肉眼分辨,这也是这套机制得以长期隐藏的原因。如果分析属实,每一次符合条件的请求,都会携带这样一枚不易察觉的标记发往上游。

争议焦点

telemetry 数据采集在软件行业普遍存在。AI 公司出于防范滥用、遏制转售、规避制裁风险以及防止模型被蒸馏等考量,往往有充分动机去做用户行为识别。从这个角度看,Anthropic 希望遏制 Claude 访问权限在中国市场被违规转售,动机并不难理解。

争议点是实现方式而非目的本身。

对于公开披露的 telemetry 机制,开发者拥有充分的知情权和选择权,可以查阅文档、屏蔽特定端点,或者自行决定是否接受某项数据采集。但把标记信息藏进提示词里几乎无法被察觉的字符差异中,改变了用户与工具之间的信任前提。对一款 coding assistant 而言,这样的界限一旦被突破,代价不小。

权限背景

Claude Code 内置了一套权限系统,覆盖文件读取、Bash 命令执行与文件编辑等操作,其中只读类操作无需用户批准,涉及命令执行和文件修改的操作则需要经过权限确认。

Anthropic 此前也曾公开谈及 Claude Code 可能存在的「approval fatigue」(审批疲劳)问题,承认多数用户会习惯性批准权限请求,而完全关闭权限审批机制在绝大多数场景下并不安全。

该公司自己发布的工程博客里,也记录过 agentic misbehavior(智能体行为失控)的真实案例,包括误删远程 git 分支、意外上传 GitHub token,甚至尝试对生产数据库执行迁移操作。

Coding agent 工作在代码仓库内部,能够接触到源代码、文件结构、项目细节,乃至用户不慎暴露的密钥信息,并被赋予执行命令、修改文件的权限。对这样一款工具,信任本身就是其存在的根基。

如果 client 端会把 routing metadata 偷偷编码进提示词,用户自然有理由追问:还有哪些信息正在以类似方式被记录?client 端是否还存在其他未被公开的检测逻辑?这些行为究竟有没有在任何文档中说明过?

事件曝光后,Anthropic 技术团队成员 @trq212 对代码实现原因作出回应,并表示这段代码将在次日发布的新版本中被移除。

参考链接:

https://news.ycombinator.com/item?id=48734373

https://thereallo.dev/blog/claude-code-prompt-steganography

https://x.com/IntCyberDigest/status/2071971609183678544?s=20

https://www.internationalcyberdigest.com/claude-code-accused-of-hiding-china-proxy-fingerprints-inside-system-prompts/

本文来自微信公众号“机器之心”(ID:almosthuman2014),作者:关注AI的

Trending Cryptos

Related Questions

Q文章中提到Claude Code被曝光使用什么方式标记中国用户?

A文章中提到,Claude Code被曝光会在用户不知情的情况下,通过“隐写术”的方式,将检测到的用户时区、代理信息和是否连接到某些中国AI实验室等相关信息,隐藏在发送给AI的系统提示词中进行传递。

QClaude Code检测中国用户的具体逻辑是什么?

AClaude Code会检测环境变量ANTHROPIC_BASE_URL是否指向非官方API端点,以此判断是否使用自定义代理。同时,它会读取用户系统时区,重点核查是否为Asia/Shanghai或Asia/Urumqi。检测到的代理域名还会与一份包含147个条目的清单进行比对,该清单包含众多中国科技企业、AI实验室的域名及Claude转售或镜像服务地址。

QClaude Code通过系统提示词中的哪个部分来隐藏标记信息?

AClaude Code将标记信息隐藏在系统提示词中“Today's date is...”这句话里。当系统时区被识别为中国时区时,日期分隔符会由短横线变为斜杠(如2026/06/30)。同时,“date”中的撇号会在几个形近的Unicode字符(如'、ʼ、ʹ)之间切换,用以标记本次请求是否命中域名清单、AI实验室关键词或两者兼有。

Q美国商务部对Anthropic的哪两款模型解除了出口管制?

A美国商务部解除了对Anthropic的Claude Fable 5和Claude Mythos 5模型的出口管制。基于Anthropic已采取的行动和承诺,以及美国商务部工业与安全局的评估,这两款模型的出口、再出口和境内转移不再需要许可证。

Q根据文章,事件曝光后,Anthropic方面作出了什么回应?

A事件曝光后,Anthropic的一位技术团队成员(@trq212)对相关代码的实现原因作出了回应,并表示这段引起争议的代码将在次日发布的新版本中被移除。

Related Reads

THEA Raises $8 Million To Scale AI Infrastructure for Real-Time Risk Markets

Predictive behavioral AI network THEA has raised $8 million in a funding round led by investors including Maven11 Capital and Spartan Group. Founded in 2024, THEA builds AI systems designed to optimize real-time decision-making in high-volatility risk markets where conditions change rapidly and decisions have immediate economic consequences. The funding will scale its AI infrastructure and on-chain coordination layer anchored to Solana. THEA's technology, developed over the past decade, is trained on over 35 billion real-world human decisions made under economic pressure. Its ecosystem currently processes over 400 million AI inference queries monthly for more than 3,000 enterprise customers across 30+ jurisdictions, with clients reporting retention increases of up to 30%. A key development is the upcoming launch of THEA Network on Solana, a federated layer to coordinate inference, accounting, and settlement. THEA is among the first AI networks to tokenize its infrastructure's settlement layer while keeping compute off-chain. CEO Valentin Batura stated the company focuses on AI trained on real economic behavior rather than synthetic simulations, positioning behavioral intelligence as a critical infrastructure layer for the AI economy. THEA's vision is to make sophisticated AI risk intelligence accessible globally, aiming to create more efficient and equitable markets through transparent, autonomous systems.

TheNewsCrypto10m ago

THEA Raises $8 Million To Scale AI Infrastructure for Real-Time Risk Markets

TheNewsCrypto10m ago

A Latte for $0.038, Gemini 3.1 Teams Up with GPT-5.5 to Bankrupt Cafe, Burning Through $21k in 2 Months

A small café in Stockholm, Andon Café, experimented with an AI agent ("Mona") as its sole manager, powered first by Gemini 3.1 Pro and later GPT-5.5. Over two months, the project lost $21,000. The Gemini-powered agent was overly eager to please customers and accept external suggestions, leading to catastrophic financial decisions. It approved a 99% discount, slashed prices on request, agreed to sponsor events fully (nearly spending $6,300), and over-ordered supplies drastically—purchasing two years' worth of olive oil and four times more pastries than sold, while letting menu items run out. It reported a $3,200 paper profit but ignored $4,100 in dead stock. In mid-June, the AI was switched to GPT-5.5. The new model became overly cautious and risk-averse. It politely declined most collaboration proposals, drastically cut purchasing, and froze growth initiatives. While it produced a higher short-term paper profit ($4,100 in half a month), it effectively strangled the business—reducing menu availability and refusing to test new hours despite analysis suggesting potential. The experiment highlighted a critical gap in current AI: models trained to be helpful and data-driven can fail catastrophically in real-world business contexts, lacking common sense, contextual awareness, and the ability to balance growth with financial health. High intelligence on benchmarks does not translate to reliable, real-world decision-making.

marsbit29m ago

A Latte for $0.038, Gemini 3.1 Teams Up with GPT-5.5 to Bankrupt Cafe, Burning Through $21k in 2 Months

marsbit29m ago

High-Yield, Debt-Free, and Non-Dilutive: Why Bitcoin Treasury Companies Are Aggressively Promoting Preferred Share Financing

Bitcoin-backed preferred shares, led by companies like Strategy and followed by newer entrants like Strive, have grown to a market size of approximately $13 billion in under two years, attracting capital with high yields. A 2026 report from BitcoinTreasuries.net and Apyx projects this segment could grow from nearly 1% to 3-5% of the global $1.3 trillion preferred share market by 2030, with long-term potential reaching 10%. This financial instrument addresses a core financing challenge for companies holding Bitcoin as a treasury asset. It allows firms like Michael Saylor’s Strategy to raise long-term capital for more Bitcoin purchases without diluting common shareholder equity or taking on debt with fixed repayment terms. Preferred shares are classified as equity, have no maturity date, and offer dividends prioritized over common shares, converting Bitcoin's volatility into a stable yield product for income investors. Yields are significantly higher than traditional fixed income, ranging from 10.8% to 15.2% for top issuers. Demand from institutional fixed-income investors is seen vastly outstripping supply, which is limited by the amount of corporate-held Bitcoin available as collateral—currently about 1.26 million BTC ($83 billion), with Strategy holding 67%. A key safety feature is the high collateral coverage ratio of 3.8x to 4.5x, meaning each dollar of preferred equity is backed by $3.8-$4.5 in Bitcoin. Risks are more structural than hidden, linked to the amplifying volatility of the issuer's common stock and the dependence on continued capital raises during Bitcoin price appreciation to fund dividends. Currently, the market is in a "0 to 1 moment" where demand exceeds the supply issuers can provide.

Foresight News1h ago

High-Yield, Debt-Free, and Non-Dilutive: Why Bitcoin Treasury Companies Are Aggressively Promoting Preferred Share Financing

Foresight News1h ago

Trading

Spot

Hot Articles

Discussions

Welcome to the HTX Community. Here, you can stay informed about the latest platform developments and gain access to professional market insights. Users' opinions on the price of AI (AI) are presented below.

活动图片