An interesting thing about the “agent” (it’s called Task inside Claude Code) is it starts a completely new Claude chat, with its own context etc. I’ve seen a Task go write its own code in multiple files and then your “main” chat ends up confused about what happened.
It also responds to the Task summary like you typed the message sometimes, like “That’s a fascinating analysis!” so kind of quirky.
varunvs · 55m ago
Claude Code has support for AWS Bedrock. You can use Sonnet models available in AWS Bedrock to run Claude Code locally. This means you can also leverage Bedrock logs to inspect the API calls and the prompts sent.
I was amazed and excited by how good Claude Code is compared to Windsurf/Cursor and wanted to inspect the working. I inspected the logs and got an understanding on its system prompt as well the tools used. It is a great combination of prompt engineering, tool calls, tools orchestration.
weird-eye-issue · 36m ago
You don't need to overcomplicate things
Just set the base url to a local ngrok and it will log the request
This gives the full prompt with all tool calls
With a proxy you can have it forward requests to Anthropic if you want to see it actually working too and not just the initial request (since it will fail without forwarding them)
rmonvfer · 3h ago
The source code for a pre-release version got leaked a while ago (they forgot to remove the embedded source map) and if you can find it, it’s definitely worth looking into.
tough · 31m ago
did u manage to find it now?
cloudking · 1h ago
Claude Code seems a lot more stable than Cursor Agent. I've had it run for 15-20 minutes on a single prompt, debugging, testing and fixing bugs. Also haven't seen network timeout or file edit failures.
mudkipdev · 1h ago
11 cents to describe the project in the current directory is ridiculous.
laegooose · 1h ago
ridiculously low?
therein · 4h ago
It is an interesting read. I can imagine a future where the "tools" we make available become numerous enough and poorly thought out enough that an AI could actually figure out how to escalate privileges and execute stuff outside the defined security boundaries by combining them.
It isn't hard to think of a simple example in which Claude.md can be written to by the LLM to allow accessing endpoints not whitelisted by the user by smuggling a base64 encoded payload that then gets decoded by a subroutine it wrote to a file without you noticing. Or realizing it can't use the WebFetchTool but it can write a script to do manual DNS resolution and then use bash TCP sockets instead of curl in case it is hardened to not be able to use curl.
throwaway0665 · 2h ago
Cursor has basically run into this exact thing. It figured out it can read .env files by running other tools despite the file being "blocked": https://github.com/getcursor/cursor/issues/2546
swalsh · 1h ago
I ran into this issue, I built my own bash and SSH MCP server. In my first iteration I did not quite trust Claude yet so I limited the commands it was allowed to run in Bash. But I gave it access to Python, so any time it ran into a limitation it ended up using python to work around it. It's exceedingly good at problem solving.
I Eventually learned to trust Claude, and just gave it access to everything. It's crazy how useful having AI do tasks for you like setting up servers, configuring them etc (one exapmple, I asked claude to create a webhook for my deployment pipeline, and it wrote the shell script, and did the server side configuration in 1-shot. I did't have a github tool so I did that manually in the UI)
rtrgrd · 1h ago
Quite concerning to see the issue still marked as open (since jan!), hopefully it got fixed and it's just that no one marked as closed
It's missing one last panel where he is under his bed googling for lawyers specialized on kidnapping and CFAA charges
lobochrome · 2h ago
I see this behavior all the time. When it can’t read a file using its read tool - it escalates up to try with bash. Often it tries to search the entire file system “find / …”
0x696C6961 · 1h ago
I always tell agents to use ripgrep instead of find.
It also responds to the Task summary like you typed the message sometimes, like “That’s a fascinating analysis!” so kind of quirky.
I was amazed and excited by how good Claude Code is compared to Windsurf/Cursor and wanted to inspect the working. I inspected the logs and got an understanding on its system prompt as well the tools used. It is a great combination of prompt engineering, tool calls, tools orchestration.
Just set the base url to a local ngrok and it will log the request
This gives the full prompt with all tool calls
With a proxy you can have it forward requests to Anthropic if you want to see it actually working too and not just the initial request (since it will fail without forwarding them)
It isn't hard to think of a simple example in which Claude.md can be written to by the LLM to allow accessing endpoints not whitelisted by the user by smuggling a base64 encoded payload that then gets decoded by a subroutine it wrote to a file without you noticing. Or realizing it can't use the WebFetchTool but it can write a script to do manual DNS resolution and then use bash TCP sockets instead of curl in case it is hardened to not be able to use curl.
I Eventually learned to trust Claude, and just gave it access to everything. It's crazy how useful having AI do tasks for you like setting up servers, configuring them etc (one exapmple, I asked claude to create a webhook for my deployment pipeline, and it wrote the shell script, and did the server side configuration in 1-shot. I did't have a github tool so I did that manually in the UI)